Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Contex deadline #12

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Contex deadline #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
612f64e
Investigate contex-deadline
Apr 22, 2024
24cf5a9
Use debug by default
Apr 22, 2024
f6e07d1
Revert "Use debug by default"
Apr 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,6 @@
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
vendor

# IDE files
.idea
15 changes: 14 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
VAULT_ADDR=http://127.0.0.1:8200
export VAULT_ADDR
SHA256SUM=$(shell sha256sum vault/plugin/vault-plugin-secrets-kubernetes | awk {'print $$1'})
SECRETNAME=vault
PLUGIN_NAME=vault-plugin-secrets-kubernetes

build:
Expand All @@ -21,9 +22,18 @@ list-plugins:
vault read sys/plugins/catalog

configure-plugin:
vault write k8s/config token=${TOKEN} api-url=${MASTER_URL} CA=${MASTER_CA}
vault write k8s/config token=$(shell kubectl -n vault get secret ${SECRETNAME} -o jsonpath='{ .data.token }' | base64 -d) \
api-url=https://$(shell minikube ip):8443 \
CA=$(shell kubectl -n vault get secret ${SECRETNAME} -o jsonpath='{ .data.ca\.crt }')
vault read k8s/config

minikube:
minikube start --kubernetes-version=v1.28.9

configure-minikube:
kubectl config use minikube
kubectl apply -f manifests/

create-sa:
vault write k8s/sa/it-deployer namespace=it service-account-name=deployer

Expand All @@ -39,6 +49,9 @@ test:

init-plugin: login add-plugin enable-plugin list-plugins

delete-mount:
vault delete sys/mounts/k8s

crosscompile:
CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -a -ldflags="-s -w" -installsuffix cgo -o vault/plugin/${PLUGIN_NAME}-linux-amd64 .
CGO_ENABLED=0 GOARCH=arm64 GOOS=linux go build -a -ldflags="-s -w" -installsuffix cgo -o vault/plugin/${PLUGIN_NAME}-linux-arm64 .
Expand Down
20 changes: 12 additions & 8 deletions backend/backend.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@ import (
"sync"
"time"

hclog "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"

)

type kubeBackend struct {
*framework.Backend
testMode bool
saMutex sync.RWMutex
saMutex sync.RWMutex
log hclog.Logger
}

// New creates and returns new instance of Kubernetes secrets manager backend
Expand Down Expand Up @@ -45,11 +46,14 @@ func New() *kubeBackend {
return &b
}

// Factory creates and returns new backend with BackendConfig
func Factory(ctx context.Context, c *logical.BackendConfig) (logical.Backend, error) {
b := New()
if err := b.Setup(ctx, c); err != nil {
return nil, err
func NewFactory(log hclog.Logger) logical.Factory {
return func(ctx context.Context, c *logical.BackendConfig) (logical.Backend, error) {
b := New()
b.log = log

if err := b.Setup(ctx, c); err != nil {
return nil, err
}
return b, nil
}
return b, nil
}
8 changes: 8 additions & 0 deletions backend/path_secrets.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,20 +35,25 @@ func pathSecrets(b *kubeBackend) *framework.Path {
}

func (b *kubeBackend) pathSecretsUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
b.log.Info("Trying to take a saMutex.Lock()", "", "")
b.saMutex.Lock()
defer b.saMutex.Unlock()
saName := d.Get("name").(string)
b.log.Info("Get(saName)", "return", saName)
sa, err := getServiceAccount(ctx, saName, req.Storage)
if err != nil {
b.log.Error("Unable to getServiceAccount", "err", err)
return nil, err
}
b.log.Debug("getServiceAccount", "return", sa)

if sa == nil {
return logical.ErrorResponse(fmt.Sprintf("ServiceAccount '%s' not found", saName)), nil
}

config, err := getConfig(ctx, req.Storage)
if err != nil {
b.log.Error("getConfig", "err", err)
return nil, err
}

Expand All @@ -67,8 +72,11 @@ func (b *kubeBackend) pathSecretsUpdate(ctx context.Context, req *logical.Reques
ttl = int64(config.TTL.Seconds())
}

b.log.Info("Output of ttl", "ttl", ttl)

resp, err := b.createSecret(ctx, req.Storage, config, sa)
if err != nil {
b.log.Error("Unable to createSecret", "err", err)
return nil, err
}
resp.Secret.TTL = time.Duration(ttl) * time.Second
Expand Down
25 changes: 12 additions & 13 deletions backend/secret_tokens.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,11 @@ import (
"math/rand"
"time"

"github.com/hashicorp/errwrap"

"github.com/mitchellh/mapstructure"

"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand All @@ -28,15 +26,15 @@ func secretAccessTokens(b *kubeBackend) *framework.Secret {
return &framework.Secret{
Type: secretTypeAccessToken,
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
"token": {
Type: framework.TypeString,
Description: "Token of the secret",
},
"namespace": &framework.FieldSchema{
"namespace": {
Type: framework.TypeString,
Description: "Namespace of the secret",
},
"ca": &framework.FieldSchema{
"ca": {
Type: framework.TypeString,
Description: "CA of the api server",
},
Expand Down Expand Up @@ -87,15 +85,17 @@ func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *co
}
_, err = clientSet.CoreV1().Secrets(sa.Namespace).Create(ctx, secret, metav1.CreateOptions{})
if err != nil {
return nil, errwrap.Wrapf("Unable to create secret, {{err}}", err)
return nil, fmt.Errorf("Unable to create secret, %s", err)
}
// Do 5 tries to get secret, due to it may not generated after first try
for range []int{0, 1, 2, 3, 4} {
secretResp, err := clientSet.CoreV1().Secrets(sa.Namespace).Get(ctx, secret.Name, metav1.GetOptions{})
if err != nil {
return nil, errwrap.Wrapf("Unable to get secret, {{err}}", err)
b.log.Error("Unable to get secret", "err", err)
return nil, fmt.Errorf("Unable to get secret, %s", err)
}
if len(secretResp.Data) == 0 {
b.log.Debug("recieved empty data, sleep a second before retry", "", "")
time.Sleep(time.Second)
continue
}
Expand All @@ -106,6 +106,7 @@ func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *co
break
}
if resp == nil || len(resp.Data) == 0 {
b.log.Error("unable to get secret with 5 tries, Data was empty", "", "")
return nil, errors.New("unable to get secret with 5 tries, Data was empty")
}
} else {
Expand All @@ -118,9 +119,11 @@ func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *co
// the secret because it'll get rolled back anyways, so we have to return
// an error here.
if err := framework.DeleteWAL(ctx, s, walID); err != nil {
return nil, errwrap.Wrapf("failed to commit WAL entry: {{err}}", err)
return nil, fmt.Errorf("failed to commit WAL entry: %s", err)
}

b.log.Debug("WAL removed", "", "")

return b.Secret(secretTypeAccessToken).Response(map[string]interface{}{
"token": token,
"namespace": namespace,
Expand All @@ -131,10 +134,6 @@ func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *co
}), nil
}

func init() {
rand.Seed(time.Now().UnixNano())
}

func generatePostfix(n int) string {
b := make([]byte, n)
for i := range b {
Expand Down
16 changes: 12 additions & 4 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,22 @@
version: '3'
services:
vault:
image: vault:1.3.10
image: hashicorp/vault:1.15.5
environment:
VAULT_LOCAL_CONFIG: '{"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h", "plugin_directory":"/plugin"}'
VAULT_DEV_ROOT_TOKEN_ID: 123qwe
VAULT_PLUGIN_LOG_PATH: /tmp/vault-k8s.log
cap_add:
- IPC_LOCK
ports:
- "8200:8200"
- "8201:8201"
network_mode: host
# networks:
# - minikube
# ports:
# - "8200:8200"
# - "8201:8201"
volumes:
- "./vault/plugin:/plugin"
#networks:
# minikube:
# driver: bridge
# external: true
31 changes: 26 additions & 5 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,32 +4,53 @@ import (
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/sdk/plugin"
"github.com/jetbrains-infra/vault-plugin-secrets-kubernetes/backend"

"log"

"os"

"github.com/hashicorp/vault/api"
)

func main() {
loggerOpts := &hclog.LoggerOptions{
Name: "vault-kubernetes",
Level: hclog.Info,
}

if pluginLogPath := os.Getenv("VAULT_PLUGIN_LOG_PATH"); pluginLogPath != "" {
fp, err := os.OpenFile(pluginLogPath, os.O_WRONLY|os.O_CREATE, 0640)
if err == nil {
loggerOpts.Output = fp
loggerOpts.Level = hclog.Trace
} else {
log.Fatalf("Failed to open plugin log file %s", pluginLogPath)
}
}
logger := hclog.New(loggerOpts)
logger.Info("Plugin started")
defer func() {
logger.Info("Plugin stopped")
}()
apiClientMeta := &api.PluginAPIClientMeta{}
flags := apiClientMeta.FlagSet()
err := flags.Parse(os.Args[1:])
if err != nil {
log.Fatalf("Unable to parse arguments %+v, %s", os.Args[1:], err)
logger.Error("Unable to parse arguments %+v, %s", os.Args[1:], err)
os.Exit(1)
}

tlsConfig := apiClientMeta.GetTLSConfig()
tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)


err = plugin.Serve(&plugin.ServeOpts{
BackendFactoryFunc: backend.Factory,
BackendFactoryFunc: backend.NewFactory(logger),
TLSProviderFunc: tlsProviderFunc,
Logger: logger,
})
if err != nil {
logger := hclog.New(&hclog.LoggerOptions{})

logger.Error("plugin shutting down", "error", err)
os.Exit(1)
}
}

11 changes: 11 additions & 0 deletions manifests/namespaces.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: vault
---
apiVersion: v1
kind: Namespace
metadata:
name: it

29 changes: 29 additions & 0 deletions manifests/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vault
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
name: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vault
subjects:
- kind: ServiceAccount
name: vault
namespace: vault

12 changes: 12 additions & 0 deletions manifests/sa.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
namespace: vault
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: deployer
namespace: it
8 changes: 8 additions & 0 deletions manifests/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: vault
namespace: vault
annotations:
kubernetes.io/service-account.name: vault
type: kubernetes.io/service-account-token