jetbrains-infra · rvadim · Jul 13, 2022 · Jul 25, 2022 · Jul 25, 2022
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,6 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 vendor
+
+# IDE files
+.idea
diff --git a/Makefile b/Makefile
@@ -1,6 +1,7 @@
 VAULT_ADDR=http://127.0.0.1:8200
 export VAULT_ADDR
 SHA256SUM=$(shell sha256sum vault/plugin/vault-plugin-secrets-kubernetes | awk {'print $$1'})
+SECRETNAME=$(shell kubectl -n vault get sa vault -o jsonpath='{ .secrets[0].name }')
 PLUGIN_NAME=vault-plugin-secrets-kubernetes
 
 build:
@@ -21,9 +22,18 @@ list-plugins:
 	vault read sys/plugins/catalog
 
 configure-plugin:
-	vault write k8s/config token=${TOKEN} api-url=${MASTER_URL} CA=${MASTER_CA}
+	vault write k8s/config token=$(shell kubectl -n vault get secret ${SECRETNAME} -o jsonpath='{ .data.token }' | base64 -d) \
+		api-url=https://$(shell minikube ip):8443 \
+		CA=$(shell kubectl -n vault get secret ${SECRETNAME} -o jsonpath='{ .data.ca\.crt }')
 	vault read k8s/config
 
+minikube:
+	minikube start --kubernetes-version=v1.22.11
+
+configure-minikube:
+	kubectl config use minikube
+	kubectl apply -f manifests/
+
 create-sa:
 	vault write k8s/sa/it-deployer namespace=it service-account-name=deployer
 
@@ -39,6 +49,9 @@ test:
 
 init-plugin: login add-plugin enable-plugin list-plugins
 
+delete-mount:
+	vault delete sys/mounts/k8s
+
 crosscompile:
 	CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -a -ldflags="-s -w" -installsuffix cgo -o vault/plugin/${PLUGIN_NAME}-linux-amd64 .
 	CGO_ENABLED=0 GOARCH=arm64 GOOS=linux go build -a -ldflags="-s -w" -installsuffix cgo -o vault/plugin/${PLUGIN_NAME}-linux-arm64 .

diff --git a/backend/backend.go b/backend/backend.go
@@ -7,13 +7,12 @@ import (
 
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
-
 )
 
 type kubeBackend struct {
 	*framework.Backend
 	testMode bool
-	saMutex sync.RWMutex
+	saMutex  sync.RWMutex
 }
 
 // New creates and returns new instance of Kubernetes secrets manager backend

diff --git a/backend/client.go b/backend/client.go
@@ -2,8 +2,7 @@ package backend
 
 import (
 	"encoding/base64"
-
-	"github.com/hashicorp/errwrap"
+	"fmt"
 
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -12,7 +11,7 @@ import (
 func getClientSet(c *config) (*kubernetes.Clientset, error) {
 	data, err := base64.StdEncoding.DecodeString(c.CA)
 	if err != nil {
-		return nil, errwrap.Wrapf("Unable to create kubernetes client, unable to decode CA '{{err}}'", err)
+		return nil, fmt.Errorf("unable to create kubernetes client, unable to decode CA: %s", err)
 	}
 
 	clientConf := &rest.Config{
@@ -24,7 +23,7 @@ func getClientSet(c *config) (*kubernetes.Clientset, error) {
 	}
 	clientset, err := kubernetes.NewForConfig(clientConf)
 	if err != nil {
-		return nil, errwrap.Wrapf("Unable to create kubernetes client '{{err}}'", err)
+		return nil, fmt.Errorf("unable to create kubernetes client: %s", err)
 	}
 	return clientset, nil
 }
diff --git a/backend/path_config.go b/backend/path_config.go
@@ -124,7 +124,6 @@ func (b *kubeBackend) pathConfigDelete(ctx context.Context, req *logical.Request
 	if err := req.Storage.Delete(ctx, ConfigStorageKey); err != nil {
 		return nil, err
 	}
-
 	return nil, nil
 }
 

diff --git a/backend/path_serviceaccounts.go b/backend/path_serviceaccounts.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -174,7 +173,7 @@ func (b *kubeBackend) pathServiceAccountDelete(ctx context.Context, req *logical
 	name := nameRaw.(string)
 	sa, err := getServiceAccount(ctx, name, req.Storage)
 	if err != nil {
-		return nil, errwrap.Wrapf(fmt.Sprintf("unable to get sa '%s': {{err}}", name), err)
+		return nil, fmt.Errorf("unable to get sa '%s': %s", name, err)
 	}
 	if sa == nil {
 		return nil, nil

diff --git a/backend/secret_tokens.go b/backend/secret_tokens.go
@@ -7,13 +7,12 @@ import (
 	"math/rand"
 	"time"
 
-	"github.com/hashicorp/errwrap"
-
 	"github.com/mitchellh/mapstructure"
 
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 	"k8s.io/api/core/v1"
+	errorsK8S "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -54,7 +53,6 @@ type walSecret struct {
 
 func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *config, sa *ServiceAccount) (*logical.Response, error) {
 	name := fmt.Sprintf("%s-%s-%s", secretPrefix, sa.ServiceAccountName, generatePostfix(8))
-
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -87,13 +85,14 @@ func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *co
 		}
 		_, err = clientSet.CoreV1().Secrets(sa.Namespace).Create(ctx, secret, metav1.CreateOptions{})
 		if err != nil {
-			return nil, errwrap.Wrapf("Unable to create secret, {{err}}", err)
+			return nil, fmt.Errorf("Unable to create secret, %s", err)
 		}
 		// Do 5 tries to get secret, due to it may not generated after first try
 		for range []int{0, 1, 2, 3, 4} {
 			secretResp, err := clientSet.CoreV1().Secrets(sa.Namespace).Get(ctx, secret.Name, metav1.GetOptions{})
-			if err != nil {
-				return nil, errwrap.Wrapf("Unable to get secret, {{err}}", err)
+			if errorsK8S.IsNotFound(err) {
+				time.Sleep(time.Second)
+				continue
 			}
 			if len(secretResp.Data) == 0 {
 				time.Sleep(time.Second)
@@ -118,7 +117,7 @@ func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *co
 	// the secret because it'll get rolled back anyways, so we have to return
 	// an error here.
 	if err := framework.DeleteWAL(ctx, s, walID); err != nil {
-		return nil, errwrap.Wrapf("failed to commit WAL entry: {{err}}", err)
+		return nil, fmt.Errorf("failed to commit WAL entry: %s", err)
 	}
 
 	return b.Secret(secretTypeAccessToken).Response(map[string]interface{}{

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,14 +1,22 @@
 version: '3'
 services:
   vault:
-    image: vault:1.3.10
+    image: vault:1.9.2
     environment:
       VAULT_LOCAL_CONFIG: '{"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h", "plugin_directory":"/plugin"}'
       VAULT_DEV_ROOT_TOKEN_ID: 123qwe
+      VAULT_PLUGIN_LOG_PATH: /tmp/vault-k8s.log
     cap_add:
       - IPC_LOCK
-    ports:
-      - "8200:8200"
-      - "8201:8201"
+    network_mode: host
+#    networks:
+#      - minikube
+#    ports:
+#       - "8200:8200"
+#       - "8201:8201"
     volumes:
       - "./vault/plugin:/plugin"
+#networks:
+#  minikube:
+#    driver: bridge
+#    external: true
diff --git a/main.go b/main.go
@@ -4,19 +4,39 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/sdk/plugin"
 	"github.com/jetbrains-infra/vault-plugin-secrets-kubernetes/backend"
-
 	"log"
+
 	"os"
 
 	"github.com/hashicorp/vault/api"
 )
 
 func main() {
+	loggerOpts := &hclog.LoggerOptions{
+		Name:  "vault-kubernetes",
+		Level: hclog.Info,
+	}
+
+	if pluginLogPath := os.Getenv("VAULT_PLUGIN_LOG_PATH"); pluginLogPath != "" {
+		fp, err := os.OpenFile(pluginLogPath, os.O_WRONLY|os.O_CREATE, 0640)
+		if err == nil {
+			loggerOpts.Output = fp
+			loggerOpts.Level = hclog.Trace
+		} else {
+			log.Fatalf("Failed to open plugin log file %s", pluginLogPath)
+		}
+	}
+	logger := hclog.New(loggerOpts)
+	logger.Info("Plugin started")
+	defer func() {
+		logger.Info("Plugin stopped")
+	}()
 	apiClientMeta := &api.PluginAPIClientMeta{}
 	flags := apiClientMeta.FlagSet()
 	err := flags.Parse(os.Args[1:])
 	if err != nil {
-		log.Fatalf("Unable to parse arguments %+v, %s", os.Args[1:], err)
+		logger.Error("Unable to parse arguments %+v, %s", os.Args[1:], err)
+		os.Exit(1)
 	}
 
 	tlsConfig := apiClientMeta.GetTLSConfig()
@@ -25,10 +45,9 @@ func main() {
 	err = plugin.Serve(&plugin.ServeOpts{
 		BackendFactoryFunc: backend.Factory,
 		TLSProviderFunc:    tlsProviderFunc,
+		Logger:             logger,
 	})
 	if err != nil {
-		logger := hclog.New(&hclog.LoggerOptions{})
-
 		logger.Error("plugin shutting down", "error", err)
 		os.Exit(1)
 	}

diff --git a/manifests/namespaces.yaml b/manifests/namespaces.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: it
+
diff --git a/manifests/rbac.yaml b/manifests/rbac.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vault
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+  name: vault
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: vault
+
diff --git a/manifests/sa.yaml b/manifests/sa.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+  namespace: vault
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: deployer
+  namespace: it