Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There's a lot of stuff we need to do to make macaroon tokens work well in flyctl:
This was complicated further by wanting to keep tokens in sync between the flyctl agent and any foreground processes. Long running commands were also winding up with expired tokens because we were only doing a lot of this work when the command started.
This PR centralizes all of this logic and runs it both in foreground flyctl processes as well as in the background agent. When flyctl makes changes to its set of tokens, it writes those back to the config file (so long as flyctl wasn't started with
FLY_AUTH_TOKEN
). This should allow everything to stay nicely up to date and synced between processes.There was also some annoyance (/cc @jipperinbham) when running commands with
FLY_AUTH_TOKEN
. The background agent and foreground commands would often end up running with a different set of tokens and one or the other would run into authorization errors. I'm adding a newset-token
RPC to the fly agent in this PR. Clients send this command before sending other commands, letting the agent know what tokens to use for the session.This PR depends on superfly/fly-go#34
TODO:
Make sureChecked old agent + new flyctl and vice versa.send-token
command fails nicely when sent to old agentpersonal
orgs when using different tokens.ValidateWireGuardPeers
mutation in web. That might make the agent work better when usingFLY_AUTH_TOKEN
.PS: There's been a lot of churn in the tokens code in flyctl. Sorry about that. I'd been trying to avoid writing this big PR, but half measure weren't cutting it.