Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HCP link integration #16939

Merged
merged 8 commits into from
Sep 6, 2022
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .circleci/config.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion .circleci/config/commands/configure-git.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
steps:
- add_ssh_keys:
fingerprints:
- "0e:03:77:f4:e2:c3:56:c2:53:6a:03:e1:31:91:2f:06"
# "CircleCI Additional SSH Key" associated with hc-github-team-secure-vault-core GitHub user
- "b8:e2:38:f8:5b:1b:82:f3:1f:23:fa:46:6e:95:e7:e9"
- run: |
git config --global url."git@github.com:".insteadOf https://github.com/
30 changes: 16 additions & 14 deletions api/sys_seal.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,20 +93,22 @@ func sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*Sea
}

type SealStatusResponse struct {
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
}

type UnsealOpts struct {
Expand Down
6 changes: 6 additions & 0 deletions command/format.go
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,12 @@ func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, da
out = append(out, fmt.Sprintf("Cluster ID | %s", status.ClusterID))
}

// Output if HCP link is configured
if status.HCPLinkStatus != "" {
out = append(out, fmt.Sprintf("HCP Link Status | %s", status.HCPLinkStatus))
out = append(out, fmt.Sprintf("HCP Link Resource ID | %s", status.HCPLinkResourceID))
}

// Output if HA is enabled
out = append(out, fmt.Sprintf("HA Enabled | %t", status.HAEnabled))

Expand Down
45 changes: 45 additions & 0 deletions command/operator_diagnose.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
srconsul "github.com/hashicorp/vault/serviceregistration/consul"
"github.com/hashicorp/vault/vault"
"github.com/hashicorp/vault/vault/diagnose"
"github.com/hashicorp/vault/vault/hcp_link"
"github.com/mitchellh/cli"
"github.com/posener/complete"
)
Expand Down Expand Up @@ -711,6 +712,50 @@ SEALFAIL:
}
return nil
})

// Checking HCP link to make sure Vault could connect to SCADA.
// If it could not connect to SCADA in 5 seconds, diagnose reports an issue
if !constants.IsEnterprise {
diagnose.Skipped(ctx, "HCP link check will not run on OSS Vault.")
} else {
if config.HCPLinkConf != nil {
diagnose.Test(ctx, "Check HCP Connection", func(ctx context.Context) error {
diagnose.Test(ctx, "Cloud config", func(ctx context.Context) error {
if config.HCPLinkConf.AuthURL != "" {
diagnose.Warn(ctx, "cloud config stanza contains auth_url. Note that auth_url is primarily used for dev/testing work")
}
return nil
})

hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, vaultCore, server.logger)
if err != nil || hcpLink == nil {
return fmt.Errorf("failed to start HCP link, %w", err)
}

// check if a SCADA session is established successfully
deadline := time.Now().Add(5 * time.Second)
linkSessionStatus := "disconnected"
for time.Now().Before(deadline) {
linkSessionStatus = hcpLink.GetScadaSessionStatus()
if linkSessionStatus == "connected" {
break
}
time.Sleep(500 * time.Millisecond)
}
if linkSessionStatus != "connected" {
return fmt.Errorf("failed to connect to HCP in 5 seconds. HCP session status is: %s", linkSessionStatus)
}

err = hcpLink.Shutdown()
if err != nil {
return fmt.Errorf("failed to shutdown HCP link: %w", err)
}

return nil
})
}
}

return nil
}

Expand Down
46 changes: 46 additions & 0 deletions command/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ import (
"github.com/hashicorp/vault/sdk/version"
sr "github.com/hashicorp/vault/serviceregistration"
"github.com/hashicorp/vault/vault"
"github.com/hashicorp/vault/vault/hcp_link"
vaultseal "github.com/hashicorp/vault/vault/seal"
"github.com/mitchellh/cli"
"github.com/mitchellh/go-testing-interface"
Expand Down Expand Up @@ -1577,6 +1578,14 @@ func (c *ServerCommand) Run(args []string) int {
return 1
}

hcpLogger := c.logger.Named("hcpLink")
hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, core, hcpLogger)
if err != nil {
c.logger.Error("failed to start HCP Link", "error", err)
} else if hcpLink != nil {
c.logger.Trace("started HCP link")
}

if c.flagTestServerConfig {
return 0
}
Expand Down Expand Up @@ -1688,6 +1697,12 @@ func (c *ServerCommand) Run(args []string) int {
// Setting log request with the new value in the config after reload
core.ReloadLogRequestsLevel()

// reloading HCP link
hcpLink, err = c.reloadHCPLink(hcpLink, config, core, hcpLogger)
if err != nil {
c.logger.Error(err.Error())
}

if config.LogLevel != "" {
configLogLevel := strings.ToLower(strings.TrimSpace(config.LogLevel))
switch configLogLevel {
Expand Down Expand Up @@ -1741,6 +1756,12 @@ func (c *ServerCommand) Run(args []string) int {
// Stop the listeners so that we don't process further client requests.
c.cleanupGuard.Do(listenerCloseFunc)

if hcpLink != nil {
if err := hcpLink.Shutdown(); err != nil {
c.UI.Error(fmt.Sprintf("Error with HCP Link shutdown: %v", err.Error()))
}
}

// Finalize will wait until after Vault is sealed, which means the
// request forwarding listeners will also be closed (and also
// waited for).
Expand All @@ -1753,6 +1774,31 @@ func (c *ServerCommand) Run(args []string) int {
return retCode
}

func (c *ServerCommand) reloadHCPLink(hcpLinkVault *hcp_link.WrappedHCPLinkVault, conf *server.Config, core *vault.Core, hcpLogger hclog.Logger) (*hcp_link.WrappedHCPLinkVault, error) {
// trigger a shutdown
if hcpLinkVault != nil {
err := hcpLinkVault.Shutdown()
if err != nil {
return nil, err
}
}

if conf.HCPLinkConf == nil {
// if cloud stanza is not configured, we should not show anything
// in the seal-status related to HCP link
core.SetHCPLinkStatus("", "")
return nil, nil
}

// starting HCP link
hcpLink, err := hcp_link.NewHCPLink(conf.HCPLinkConf, core, hcpLogger)
if err != nil {
return nil, fmt.Errorf("failed to restart HCP Link and it is no longer running, %w", err)
}

return hcpLink, nil
}

func (c *ServerCommand) notifySystemd(status string) {
sent, err := systemd.SdNotify(false, status)
if err != nil {
Expand Down
18 changes: 17 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ require (
github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2
github.com/armon/go-metrics v0.4.0
github.com/armon/go-radix v1.0.0
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef
github.com/aws/aws-sdk-go v1.43.8
github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a
github.com/cenkalti/backoff/v3 v3.2.2
Expand Down Expand Up @@ -98,6 +98,7 @@ require (
github.com/hashicorp/go-version v1.6.0
github.com/hashicorp/golang-lru v0.5.4
github.com/hashicorp/hcl v1.0.1-vault-3
github.com/hashicorp/hcp-sdk-go v0.21.0
github.com/hashicorp/nomad/api v0.0.0-20220707195938-75f4c2237b28
github.com/hashicorp/raft v1.3.10
github.com/hashicorp/raft-autopilot v0.1.6
Expand Down Expand Up @@ -231,6 +232,8 @@ require (
github.com/Microsoft/go-winio v0.5.1 // indirect
github.com/Microsoft/hcsshim v0.9.0 // indirect
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/andybalholm/brotli v1.0.4 // indirect
github.com/apache/arrow/go/arrow v0.0.0-20210818145353-234c94e4ce64 // indirect
github.com/aws/aws-sdk-go-v2 v1.8.0 // indirect
Expand Down Expand Up @@ -278,6 +281,17 @@ require (
github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 // indirect
github.com/go-logr/logr v1.2.0 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-openapi/analysis v0.20.0 // indirect
github.com/go-openapi/errors v0.19.9 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.5 // indirect
github.com/go-openapi/loads v0.20.2 // indirect
github.com/go-openapi/runtime v0.19.24 // indirect
github.com/go-openapi/spec v0.20.3 // indirect
github.com/go-openapi/strfmt v0.20.0 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/go-openapi/validate v0.20.2 // indirect
github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect
github.com/go-stack/stack v1.8.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
Expand Down Expand Up @@ -325,13 +339,15 @@ require (
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kelseyhightower/envconfig v1.4.0 // indirect
github.com/klauspost/compress v1.13.6 // indirect
github.com/klauspost/pgzip v1.2.5 // indirect
github.com/lib/pq v1.10.6 // indirect
github.com/linode/linodego v0.7.1 // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/mailru/easyjson v0.7.6 // indirect
github.com/mattn/go-ieproxy v0.0.1 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/miekg/dns v1.1.41 // indirect
Expand Down
Loading