Watch model's cloud credential for validity.

api/credentialvalidator/credentialvalidator.go

@@ -59,7 +59,7 @@ func (c *Facade) ModelCredential() (base.StoredCredential, bool, error) {
 func (c *Facade) WatchCredential(credentialID string) (watcher.NotifyWatcher, error) {
 	in := names.NewCloudCredentialTag(credentialID).String()
 	var result params.NotifyWatchResult
-	err := c.facade.FacadeCall("WatchCredential", in, &result)
+	err := c.facade.FacadeCall("WatchCredential", params.Entity{in}, &result)
 	if err != nil {
 		return nil, errors.Trace(err)
 	}

apiserver/facades/agent/credentialvalidator/credentialvalidator.go

@@ -1,5 +1,6 @@
 // Copyright 2018 Canonical Ltd.
 // Licensed under the AGPLv3, see LICENCE file for details.
+
 package credentialvalidator
 
 import (
@@ -17,7 +18,7 @@ var logger = loggo.GetLogger("juju.api.credentialvalidator")
 // CredentialValidator defines the methods on credentialvalidator API endpoint.
 type CredentialValidator interface {
 	ModelCredential() (params.ModelCredential, error)
-	WatchCredential(string) (params.NotifyWatchResult, error)
+	WatchCredential(params.Entity) (params.NotifyWatchResult, error)
 }
 
 type CredentialValidatorAPI struct {
@@ -44,20 +45,17 @@ func internalNewCredentialValidatorAPI(backend Backend, resources facade.Resourc
 	}, nil
 }
 
-// WatchCredential returns a collection of NotifyWatchers that observe
-// changes to the given cloud credentials.
-// The order of returned watchers is important and corresponds directly to the
-// order of supplied cloud credentials collection.
-func (api *CredentialValidatorAPI) WatchCredential(tag string) (params.NotifyWatchResult, error) {
+// WatchCredential returns a NotifyWatcher that observes
+// changes to a given cloud credential.
+func (api *CredentialValidatorAPI) WatchCredential(tag params.Entity) (params.NotifyWatchResult, error) {
 	fail := func(failure error) (params.NotifyWatchResult, error) {
 		return params.NotifyWatchResult{}, common.ServerError(failure)
 	}
 
-	credentialTag, err := names.ParseCloudCredentialTag(tag)
+	credentialTag, err := names.ParseCloudCredentialTag(tag.Tag)
 	if err != nil {
 		return fail(err)
 	}
-
 	// Is credential used by the model that has created this backend?
 	isUsed, err := api.backend.ModelUsesCredential(credentialTag)
 	if err != nil {

apiserver/facades/agent/credentialvalidator/credentialvalidator_test.go

@@ -67,21 +67,21 @@ func (s *CredentialValidatorSuite) TestModelCredentialNotNeeded(c *gc.C) {
 }
 
 func (s *CredentialValidatorSuite) TestWatchCredential(c *gc.C) {
-	result, err := s.api.WatchCredential(credentialTag.String())
+	result, err := s.api.WatchCredential(params.Entity{credentialTag.String()})
 	c.Assert(err, jc.ErrorIsNil)
 	c.Assert(result, gc.DeepEquals, params.NotifyWatchResult{"1", nil})
 	c.Assert(s.resources.Count(), gc.Equals, 1)
 }
 
 func (s *CredentialValidatorSuite) TestWatchCredentialNotUsedInThisModel(c *gc.C) {
 	s.backend.isUsed = false
-	_, err := s.api.WatchCredential(credentialTag.String())
+	_, err := s.api.WatchCredential(params.Entity{credentialTag.String()})
 	c.Assert(err, gc.ErrorMatches, common.ErrPerm.Error())
 	c.Assert(s.resources.Count(), gc.Equals, 0)
 }
 
 func (s *CredentialValidatorSuite) TestWatchCredentialInvalidTag(c *gc.C) {
-	_, err := s.api.WatchCredential("my-tag")
+	_, err := s.api.WatchCredential(params.Entity{"my-tag"})
 	c.Assert(err, gc.ErrorMatches, `"my-tag" is not a valid tag`)
 	c.Assert(s.resources.Count(), gc.Equals, 0)
 }

cmd/jujud/agent/engine_test.go

@@ -34,6 +34,7 @@ var (
 		"action-pruner",
 		"charm-revision-updater",
 		"compute-provisioner",
+		"credential-validator-flag",
 		"environ-tracker",
 		"firewaller",
 		"instance-poller",

cmd/jujud/agent/machine_test.go

@@ -1041,8 +1041,20 @@ func (s *MachineSuite) TestHostedModelWorkers(c *gc.C) {
 		return &minModelWorkersEnviron{}, nil
 	})
 
-	st, closer := s.setUpNewModel(c)
-	defer closer()
+	st := s.Factory.MakeModel(c, &factory.ModelParams{
+		ConfigAttrs: coretesting.Attrs{
+			"max-status-history-age":  "2h",
+			"max-status-history-size": "4M",
+			"max-action-results-age":  "2h",
+			"max-action-results-size": "4M",
+		},
+		CloudCredential: names.NewCloudCredentialTag("dummy/admin/cred"),
+	})
+	defer func() {
+		err := st.Close()
+		c.Check(err, jc.ErrorIsNil)
+	}()
+
 	uuid := st.ModelUUID()
 
 	tracker := agenttest.NewEngineTracker()

cmd/jujud/agent/model/manifolds.go

@@ -34,6 +34,7 @@ import (
 	"github.com/juju/juju/worker/charmrevision"
 	"github.com/juju/juju/worker/charmrevision/charmrevisionmanifold"
 	"github.com/juju/juju/worker/cleaner"
+	"github.com/juju/juju/worker/credentialvalidator"
 	"github.com/juju/juju/worker/dependency"
 	"github.com/juju/juju/worker/environ"
 	"github.com/juju/juju/worker/firewaller"
@@ -80,7 +81,7 @@ type ManifoldsConfig struct {
 	Clock clock.Clock
 
 	// InstPollerAggregationDelay is the delay before sending a batch of
-	// requests in the instancpoller.Worker's aggregate loop.
+	// requests in the instancepoller.Worker's aggregate loop.
 	InstPollerAggregationDelay time.Duration
 
 	// RunFlagDuration defines for how long this controller will ask
@@ -170,6 +171,13 @@ func commonManifolds(config ManifoldsConfig) dependency.Manifolds {
 			NewFacade: singular.NewFacade,
 			NewWorker: singular.NewWorker,
 		}),
+		// Cloud credential validator runs on all models, and
+		// determines if model's cloud credential is valid.
+		credentialValidatorFlagName: ifNotUpgrading(ifNotDead(credentialvalidator.Manifold(credentialvalidator.ManifoldConfig{
+			APICallerName: apiCallerName,
+			NewFacade:     credentialvalidator.NewFacade,
+			NewWorker:     credentialvalidator.NewWorker,
+		}))),
 
 		// The migration workers collaborate to run migrations;
 		// and to create a mechanism for running other workers
@@ -519,6 +527,14 @@ var (
 			modelUpgradedFlagName,
 		},
 	}.Decorate
+
+	// ifCredentialValid wraps a manifold such that it only runs if
+	// the model has a valid credential.
+	ifCredentialValid = engine.Housing{
+		Flags: []string{
+			credentialValidatorFlagName,
+		},
+	}.Decorate
 )
 
 const (
@@ -560,4 +576,6 @@ const (
 	caasOperatorProvisionerName = "caas-operator-provisioner"
 	caasUnitProvisionerName     = "caas-unit-provisioner"
 	caasBrokerTrackerName       = "caas-broker-tracker"
+
+	credentialValidatorFlagName = "credential-validator-flag"
 )

cmd/jujud/agent/model/manifolds_test.go

@@ -39,6 +39,7 @@ func (s *ManifoldsSuite) TestIAASNames(c *gc.C) {
 		"charm-revision-updater",
 		"clock",
 		"compute-provisioner",
+		"credential-validator-flag",
 		"environ-tracker",
 		"firewaller",
 		"instance-poller",
@@ -84,6 +85,7 @@ func (s *ManifoldsSuite) TestCAASNames(c *gc.C) {
 		"caas-unit-provisioner",
 		"charm-revision-updater",
 		"clock",
+		"credential-validator-flag",
 		"is-responsible-flag",
 		"log-forwarder",
 		"migration-fortress",
@@ -107,6 +109,7 @@ func (s *ManifoldsSuite) TestFlagDependencies(c *gc.C) {
 		"api-caller",
 		"api-config-watcher",
 		"clock",
+		"credential-validator-flag",
 		"is-responsible-flag",
 		"not-alive-flag",
 		"not-dead-flag",

worker/credentialvalidator/manifold.go

@@ -0,0 +1,78 @@
+// Copyright 2018 Canonical Ltd.
+// Licensed under the AGPLv3, see LICENCE file for details.
+
+package credentialvalidator
+
+import (
+	"github.com/juju/errors"
+	"gopkg.in/juju/worker.v1"
+
+	"github.com/juju/juju/api/base"
+	"github.com/juju/juju/cmd/jujud/agent/engine"
+	"github.com/juju/juju/worker/dependency"
+)
+
+// ManifoldConfig holds the dependencies and configuration for a
+// Worker manifold.
+type ManifoldConfig struct {
+	APICallerName string
+
+	NewFacade func(base.APICaller) (Facade, error)
+	NewWorker func(Config) (worker.Worker, error)
+}
+
+// Validate is called by start to check for bad configuration.
+func (config ManifoldConfig) Validate() error {
+	if config.APICallerName == "" {
+		return errors.NotValidf("empty APICallerName")
+	}
+	if config.NewFacade == nil {
+		return errors.NotValidf("nil NewFacade")
+	}
+	if config.NewWorker == nil {
+		return errors.NotValidf("nil NewWorker")
+	}
+	return nil
+}
+
+// start is a StartFunc for a Worker manifold.
+func (config ManifoldConfig) start(context dependency.Context) (worker.Worker, error) {
+	if err := config.Validate(); err != nil {
+		return nil, errors.Trace(err)
+	}
+	var apiCaller base.APICaller
+	if err := context.Get(config.APICallerName, &apiCaller); err != nil {
+		return nil, errors.Trace(err)
+	}
+	facade, err := config.NewFacade(apiCaller)
+	if err != nil {
+		return nil, errors.Trace(err)
+	}
+	worker, err := config.NewWorker(Config{
+		Facade: facade,
+	})
+	if err != nil {
+		return nil, errors.Trace(err)
+	}
+	return worker, nil
+}
+
+// Manifold packages a Worker for use in a dependency.Engine.
+func Manifold(config ManifoldConfig) dependency.Manifold {
+	return dependency.Manifold{
+		Inputs: []string{config.APICallerName},
+		Start:  config.start,
+		Output: engine.FlagOutput,
+		Filter: filterErrors,
+	}
+}
+
+func filterErrors(err error) error {
+	cause := errors.Cause(err)
+	if cause == ErrValidityChanged || cause == ErrModelCredentialChanged {
+		return dependency.ErrBounce
+	} else if cause == ErrModelDoesNotNeedCredential {
+		return dependency.ErrUninstall
+	}
+	return err
+}