Add dr-token Flag to Autopilot CLI

[ltcarbonell]

For other operator commands such as list-peers we support a -dr-token flag:

vault operator raft list-peers -dr-token="<DR_OP_TOKEN>"

For autopilot commands, though, you have to pass it in via VAULT_TOKEN:

VAULT_TOKEN="<DR_OP_TOKEN>" vault operator raft autopilot state
VAULT_TOKEN="<DR_OP_TOKEN>" vault operator raft autopilot get-config
VAULT_TOKEN="<DR_OP_TOKEN>" vault operator raft autopilot set-config

These changes will allow the token to be passed via flag, as well as maintaining the VAULT_TOKEN env variable method

VAULT_TOKEN=$dr_token vault operator raft autopilot state
vault operator raft autopilot state -dr-token=$dr_token

VAULT_TOKEN=$dr_token vault operator raft autopilot get-config
vault operator raft autopilot get-config -dr-token=$dr_token

VAULT_TOKEN=$dr_token vault operator raft autopilot set-config \
    -dead-server-last-contact-threshold=10 \
    -server-stabilization-time=30 \
    -cleanup-dead-servers=true \
    -min-quorum=3
VAULT_TOKEN=$dr_token vault operator raft autopilot get-config    
vault operator raft autopilot set-config \
    -dead-server-last-contact-threshold=15 \
    -server-stabilization-time=45 \
    -cleanup-dead-servers=false \
    -min-quorum=3 \
    -dr-token=$dr_token 
vault operator raft autopilot get-config -dr-token=$dr_token

[raskchanky]

I'm curious about this pattern of using client.SetToken() for passing along the DR token. If this works, why not use it for the state and get config endpoints too, instead of creating special methods for them?

[raskchanky]

I haven't verified it, but the fact that DR operation tokens are their own parameters to API calls makes me dubious that this works.

[ltcarbonell]

I had a similar thought/questions. And from looking into the code and the original change to do it that way (#10856) It still wasn't very clear to me. Perhaps @vishalnayak might be able to provide some light, since they made the original change (albeit a while back).

[raskchanky]

It's not clear to me that this is a valid pattern. I would prefer if this was done in a similar style to how it's done for other raft commands that support a -dr-token flag, e.g. list-peers.

[ltcarbonell]

I understand what you are saying now. I will work on that 👍

[raskchanky]

Nevermind 🤦 . I can see from your terminal example above that it must be valid, otherwise passing in the DR operation token via VAULT_TOKEN wouldn't have worked. It seems confusing that we support that way of using DR operation tokens, but many places in our documentation shows explicitly passing them in via their own parameter. 🤷

[ltcarbonell]

So I looked at this a bit more and it looks like this is where we set a DR token (if passed through), or default to the ClientToken. https://github.com/hashicorp/vault-enterprise/blob/main/vault/replication_api_ent.go#L803-L808. I think you are correct that it is probably better to set this token explicitly, rather than just set a client token (since this looks like it is already built in). I went ahead and pushed that commit for you to review.

[github-actions]

Build Results:
All builds succeeded! ✅

[github-actions]

CI Results:
All Go tests succeeded! ✅