Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault: detect namespace change in config reload #14298

Merged
merged 3 commits into from
Aug 24, 2022
Merged

vault: detect namespace change in config reload #14298

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b2c2ab5
vault: detect namespace change in config reload
tgross Aug 24, 2022
9692586
add accessor method for testing
tgross Aug 24, 2022
3f63499
fix TLSSkipVerify comparison too
tgross Aug 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changelog/14298.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:bug
vault: Fixed a bug where changing the Vault configuration `namespace` field was not detected as a change during server configuration reload.
```

```release-note:bug
vault: Fixed a bug where Vault clients were recreated when the server configuration was reloaded, even if there were no changes to the Vault configuration.
```
33 changes: 33 additions & 0 deletions command/agent/agent_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1085,6 +1085,39 @@ func TestServer_Reload_TLS_DowngradeFromTLS(t *testing.T) {
assert.True(agent.config.TLSConfig.IsEmpty())
}

func TestServer_Reload_VaultConfig(t *testing.T) {
ci.Parallel(t)

agent := NewTestAgent(t, t.Name(), func(c *Config) {
c.Server.NumSchedulers = pointer.Of(0)
c.Vault = &config.VaultConfig{
Enabled: pointer.Of(true),
Token: "vault-token",
Namespace: "vault-namespace",
Addr: "https://vault.consul:8200",
}
})
defer agent.Shutdown()

newConfig := agent.GetConfig().Copy()
newConfig.Vault = &config.VaultConfig{
Enabled: pointer.Of(true),
Token: "vault-token",
Namespace: "another-namespace",
Addr: "https://vault.consul:8200",
}

sconf, err := convertServerConfig(newConfig)
must.NoError(t, err)
agent.finalizeServerConfig(sconf)

// TODO: the vault client isn't accessible here, and we don't actually
// overwrite the agent's server config on reload. We probably should? See
// tests in nomad/server_test.go for verification of this code path's
// behavior on the VaultClient
must.NoError(t, agent.server.Reload(sconf))
}

func TestServer_ShouldReload_ReturnFalseForNoChanges(t *testing.T) {
ci.Parallel(t)
assert := assert.New(t)
Expand Down
5 changes: 5 additions & 0 deletions nomad/server_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,7 @@ func TestServer_Reload_Vault(t *testing.T) {
config := DefaultConfig()
config.VaultConfig.Enabled = &tr
config.VaultConfig.Token = uuid.Generate()
config.VaultConfig.Namespace = "nondefault"

if err := s1.Reload(config); err != nil {
t.Fatalf("Reload failed: %v", err)
Expand All @@ -222,6 +223,10 @@ func TestServer_Reload_Vault(t *testing.T) {
if !s1.vault.Running() {
t.Fatalf("Vault client should be running")
}

if s1.vault.GetConfig().Namespace != "nondefault" {
t.Fatalf("Vault client did not get new namespace")
}
}

func connectionReset(msg string) bool {
Expand Down
61 changes: 41 additions & 20 deletions nomad/structs/config/vault.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,14 +106,20 @@ func (c *VaultConfig) AllowsUnauthenticated() bool {
func (c *VaultConfig) Merge(b *VaultConfig) *VaultConfig {
result := *c

if b.Enabled != nil {
result.Enabled = b.Enabled
}
if b.Token != "" {
result.Token = b.Token
}
if b.Role != "" {
result.Role = b.Role
}
if b.Namespace != "" {
result.Namespace = b.Namespace
}
if b.Role != "" {
result.Role = b.Role
if b.AllowUnauthenticated != nil {
result.AllowUnauthenticated = b.AllowUnauthenticated
}
if b.TaskTokenTTL != "" {
result.TaskTokenTTL = b.TaskTokenTTL
Expand All @@ -136,17 +142,11 @@ func (c *VaultConfig) Merge(b *VaultConfig) *VaultConfig {
if b.TLSKeyFile != "" {
result.TLSKeyFile = b.TLSKeyFile
}
if b.TLSServerName != "" {
result.TLSServerName = b.TLSServerName
}
if b.AllowUnauthenticated != nil {
result.AllowUnauthenticated = b.AllowUnauthenticated
}
if b.TLSSkipVerify != nil {
result.TLSSkipVerify = b.TLSSkipVerify
}
if b.Enabled != nil {
result.Enabled = b.Enabled
if b.TLSServerName != "" {
result.TLSServerName = b.TLSServerName
}

return &result
Expand Down Expand Up @@ -188,22 +188,42 @@ func (c *VaultConfig) Copy() *VaultConfig {
return nc
}

// IsEqual compares two Vault configurations and returns a boolean indicating
// Equals compares two Vault configurations and returns a boolean indicating
// if they are equal.
func (c *VaultConfig) IsEqual(b *VaultConfig) bool {
func (c *VaultConfig) Equals(b *VaultConfig) bool {
if c == nil && b != nil {
return false
}
if c != nil && b == nil {
return false
}

if c.Enabled == nil || b.Enabled == nil {
if c.Enabled != b.Enabled {
return false
}
} else if *c.Enabled != *b.Enabled {
return false
}

if c.Token != b.Token {
return false
}
if c.Role != b.Role {
return false
}
if c.Namespace != b.Namespace {
return false
}

if c.AllowUnauthenticated == nil || b.AllowUnauthenticated == nil {
if c.AllowUnauthenticated != b.AllowUnauthenticated {
return false
}
} else if *c.AllowUnauthenticated != *b.AllowUnauthenticated {
return false
}

if c.TaskTokenTTL != b.TaskTokenTTL {
return false
}
Expand All @@ -225,17 +245,18 @@ func (c *VaultConfig) IsEqual(b *VaultConfig) bool {
if c.TLSKeyFile != b.TLSKeyFile {
return false
}
if c.TLSServerName != b.TLSServerName {
return false
}
if c.AllowUnauthenticated != b.AllowUnauthenticated {
return false
}
if c.TLSSkipVerify != b.TLSSkipVerify {

if c.TLSSkipVerify == nil || b.TLSSkipVerify == nil {
if c.TLSSkipVerify != b.TLSSkipVerify {
return false
}
} else if *c.TLSSkipVerify != *b.TLSSkipVerify {
Comment on lines +249 to +253
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i was thinking, maybe we could have pointer.Compare similar to (and replacing) helper.CompareTimePtrs - caveat being it should only be used on basic types (not on structs with also pointer fields)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, lemme take a crack at that.

Copy link
Member

@shoenig shoenig Aug 24, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

caveat being it should only be used on basic types

what am I thinking, we can enforce that with a type parameter constraint!

Copy link
Member

@shoenig shoenig Aug 24, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pretty sure this is effectively what we'd want

// Compare returns whether a and b contain the same value.
func Compare[A constraints.Ordered](a, b *A) bool {
// but also check nil
	return *a == *b
}```

Copy link
Member

@schmichael schmichael Aug 24, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, something like this? https://go.dev/play/p/nE1aQVTzsuz

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the problem is I want to prevent comparisons like this:

https://go.dev/play/p/Lh26c-YWmBd

using constraints.Ordered as a constraint prevents comparing pointers of anything but underlying Numeric/String types which are safe

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hrm, I seem to be stuck there.

type primitivePointer interface {
	*bool | *string | *int // etc, we can add the rest here
}

// Compare is an equality check for pointers that point to primitives.
func Compare[A primitivePointer](a, b A) bool {
	if a == nil || b == nil {
		return a == b
	}

	return *a == *b
}

Gives me:

# github.com/hashicorp/nomad/helper/pointer
helper/pointer/pointer.go:28:10: invalid operation: pointers of a (variable of type A constrained by primitivePointer) must have identical base types
helper/pointer/pointer.go:28:16: invalid operation: pointers of b (variable of type A constrained by primitivePointer) must have identical base types

For now I'm going to merge the bugfix and then we'll come up with some nicer comparison functions in a separate PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I posted that without seeing the other solutions. In any case, probably better for another PR.

return false
}
if c.Enabled != b.Enabled {

if c.TLSServerName != b.TLSServerName {
return false
}

return true
}
63 changes: 35 additions & 28 deletions nomad/structs/config/vault_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,35 +3,36 @@ package config
import (
"reflect"
"testing"
"time"

"github.com/hashicorp/nomad/ci"
"github.com/stretchr/testify/require"
"github.com/hashicorp/nomad/helper/pointer"
"github.com/shoenig/test/must"
)

func TestVaultConfig_Merge(t *testing.T) {
ci.Parallel(t)

trueValue, falseValue := true, false
c1 := &VaultConfig{
Enabled: &falseValue,
Enabled: pointer.Of(false),
Token: "1",
Role: "1",
AllowUnauthenticated: &trueValue,
AllowUnauthenticated: pointer.Of(true),
TaskTokenTTL: "1",
Addr: "1",
TLSCaFile: "1",
TLSCaPath: "1",
TLSCertFile: "1",
TLSKeyFile: "1",
TLSSkipVerify: &trueValue,
TLSSkipVerify: pointer.Of(true),
TLSServerName: "1",
}

c2 := &VaultConfig{
Enabled: &trueValue,
Enabled: pointer.Of(true),
Token: "2",
Role: "2",
AllowUnauthenticated: &falseValue,
AllowUnauthenticated: pointer.Of(false),
TaskTokenTTL: "2",
Addr: "2",
TLSCaFile: "2",
Expand All @@ -43,17 +44,17 @@ func TestVaultConfig_Merge(t *testing.T) {
}

e := &VaultConfig{
Enabled: &trueValue,
Enabled: pointer.Of(true),
Token: "2",
Role: "2",
AllowUnauthenticated: &falseValue,
AllowUnauthenticated: pointer.Of(false),
TaskTokenTTL: "2",
Addr: "2",
TLSCaFile: "2",
TLSCaPath: "2",
TLSCertFile: "2",
TLSKeyFile: "2",
TLSSkipVerify: &trueValue,
TLSSkipVerify: pointer.Of(true),
TLSServerName: "2",
}

Expand All @@ -63,72 +64,78 @@ func TestVaultConfig_Merge(t *testing.T) {
}
}

func TestVaultConfig_IsEqual(t *testing.T) {
func TestVaultConfig_Equals(t *testing.T) {
ci.Parallel(t)

require := require.New(t)

trueValue, falseValue := true, false
c1 := &VaultConfig{
Enabled: &falseValue,
Enabled: pointer.Of(false),
Token: "1",
Role: "1",
AllowUnauthenticated: &trueValue,
Namespace: "1",
AllowUnauthenticated: pointer.Of(true),
TaskTokenTTL: "1",
Addr: "1",
ConnectionRetryIntv: time.Second,
TLSCaFile: "1",
TLSCaPath: "1",
TLSCertFile: "1",
TLSKeyFile: "1",
TLSSkipVerify: &trueValue,
TLSSkipVerify: pointer.Of(true),
TLSServerName: "1",
}

c2 := &VaultConfig{
Enabled: &falseValue,
Enabled: pointer.Of(false),
Token: "1",
Role: "1",
AllowUnauthenticated: &trueValue,
Namespace: "1",
AllowUnauthenticated: pointer.Of(true),
TaskTokenTTL: "1",
Addr: "1",
ConnectionRetryIntv: time.Second,
TLSCaFile: "1",
TLSCaPath: "1",
TLSCertFile: "1",
TLSKeyFile: "1",
TLSSkipVerify: &trueValue,
TLSSkipVerify: pointer.Of(true),
TLSServerName: "1",
}

require.True(c1.IsEqual(c2))
must.Equals(t, c1, c2)

c3 := &VaultConfig{
Enabled: &trueValue,
Enabled: pointer.Of(true),
Token: "1",
Role: "1",
AllowUnauthenticated: &trueValue,
Namespace: "1",
AllowUnauthenticated: pointer.Of(true),
TaskTokenTTL: "1",
Addr: "1",
ConnectionRetryIntv: time.Second,
TLSCaFile: "1",
TLSCaPath: "1",
TLSCertFile: "1",
TLSKeyFile: "1",
TLSSkipVerify: &trueValue,
TLSSkipVerify: pointer.Of(true),
TLSServerName: "1",
}

c4 := &VaultConfig{
Enabled: &falseValue,
Enabled: pointer.Of(false),
Token: "1",
Role: "1",
AllowUnauthenticated: &trueValue,
Namespace: "1",
AllowUnauthenticated: pointer.Of(true),
TaskTokenTTL: "1",
Addr: "1",
ConnectionRetryIntv: time.Second,
TLSCaFile: "1",
TLSCaPath: "1",
TLSCertFile: "1",
TLSKeyFile: "1",
TLSSkipVerify: &trueValue,
TLSSkipVerify: pointer.Of(true),
TLSServerName: "1",
}
require.False(c3.IsEqual(c4))

must.NotEquals(t, c3, c4)
}
13 changes: 12 additions & 1 deletion nomad/vault.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,10 @@ type VaultClient interface {
// SetConfig updates the config used by the Vault client
SetConfig(config *config.VaultConfig) error

// GetConfig returns a copy of the config used by the Vault client, for
// testing
GetConfig() *config.VaultConfig

// CreateToken takes an allocation and task and returns an appropriate Vault
// Secret
CreateToken(ctx context.Context, a *structs.Allocation, task string) (*vapi.Secret, error)
Expand Down Expand Up @@ -350,6 +354,13 @@ func (v *vaultClient) flush() {
v.tomb = &tomb.Tomb{}
}

// GetConfig returns a copy of this vault client's configuration, for testing.
func (v *vaultClient) GetConfig() *config.VaultConfig {
v.setConfigLock.Lock()
defer v.setConfigLock.Unlock()
return v.config.Copy()
}

// SetConfig is used to update the Vault config being used. A temporary outage
// may occur after calling as it re-establishes a connection to Vault
func (v *vaultClient) SetConfig(config *config.VaultConfig) error {
Expand All @@ -363,7 +374,7 @@ func (v *vaultClient) SetConfig(config *config.VaultConfig) error {
defer v.l.Unlock()

// If reloading the same config, no-op
if v.config.IsEqual(config) {
if v.config.Equals(config) {
return nil
}

Expand Down
1 change: 1 addition & 0 deletions nomad/vault_testing.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ func (v *TestVaultClient) MarkForRevocation(accessors []*structs.VaultAccessor)

func (v *TestVaultClient) Stop() {}
func (v *TestVaultClient) SetActive(enabled bool) {}
func (v *TestVaultClient) GetConfig() *config.VaultConfig { return nil }
func (v *TestVaultClient) SetConfig(config *config.VaultConfig) error { return nil }
func (v *TestVaultClient) Running() bool { return true }
func (v *TestVaultClient) Stats() map[string]string { return map[string]string{} }
Expand Down