Acquire registers and, when requireCreds is set, keeps re-registering with exponential backoff until the node is approved (status != pending) and credentials are minted. Without requireCreds it returns the first successful response (the historical one-shot behavior, preserved for anonymous NATS).
(ctx context.Context)
| 120 | // credentials are minted. Without requireCreds it returns the first successful |
| 121 | // response (the historical one-shot behavior, preserved for anonymous NATS). |
| 122 | func (m *NATSCredentialManager) Acquire(ctx context.Context) (*RegisterResponse, error) { |
| 123 | backoff := m.initialBackoff |
| 124 | var lastReason error |
| 125 | for attempt := 1; m.maxAttempts <= 0 || attempt <= m.maxAttempts; attempt++ { |
| 126 | res, err := m.register(ctx) |
| 127 | switch { |
| 128 | case err != nil: |
| 129 | lastReason = err |
| 130 | xlog.Warn("Registration failed, retrying", "attempt", attempt, "next_retry", backoff, "error", err) |
| 131 | case !m.requireCreds: |
| 132 | m.store(res) |
| 133 | return res, nil |
| 134 | case res.Status == statusPending: |
| 135 | lastReason = fmt.Errorf("node %s still pending admin approval", res.ID) |
| 136 | xlog.Info("Node pending admin approval; waiting", "node", res.ID, "attempt", attempt, "next_retry", backoff) |
| 137 | case res.NatsJWT == "" || res.NatsUserSeed == "": |
| 138 | lastReason = fmt.Errorf("node %s approved but NATS credentials not minted", res.ID) |
| 139 | xlog.Info("Node approved but NATS credentials not yet minted; waiting", "node", res.ID, "attempt", attempt, "next_retry", backoff) |
| 140 | default: |
| 141 | m.store(res) |
| 142 | return res, nil |
| 143 | } |
| 144 | select { |
| 145 | case <-ctx.Done(): |
| 146 | return nil, ctx.Err() |
| 147 | case <-time.After(backoff): |
| 148 | } |
| 149 | backoff = min(backoff*2, m.maxBackoff) |
| 150 | } |
| 151 | return nil, fmt.Errorf("giving up acquiring NATS credentials after %d attempts: %w", m.maxAttempts, lastReason) |
| 152 | } |
| 153 | |
| 154 | // RefreshLoop re-registers to mint a fresh JWT before the current one expires, |
| 155 | // updating the credentials returned by Current/Provider so the NATS connection |
no test coverage detected