/
dynamicSecrets.go
173 lines (147 loc) · 3.82 KB
/
dynamicSecrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
package vault
import (
"log"
"strings"
"time"
)
const (
tenSecond = 10 * time.Second
)
// SecretsSubscriber implementors have are dependant on secrets (connections strings,
// service account credentials and similar), and want the dynamic aspects to be
// handled automatically.
type SecretsSubscriber interface {
GetSubscriptionSpec() SecretSubscriptionSpec
ReceiveAtStartup(UpdatedSecret)
// Here we assume that the subscriber starts its own
// go routine for receiving updated secrets on the channel
StartSecretsListener()
}
// SecretSubscriptionSpec a specification of the paths to the secrets that a
// subscriber is interested in
type SecretSubscriptionSpec struct {
Paths []string
CallbackChan chan<- UpdatedSecret
}
// UpdatedSecret a new version of a secret
type UpdatedSecret struct {
Path string
Secrets map[string]Secret
}
// GetAllData combines all data in all secrets to a single map
func (us UpdatedSecret) GetAllData() map[string]string {
res := map[string]string{}
for _, m := range us.Secrets {
for k, v := range m.GetData() {
res[k] = v.(string)
}
}
return res
}
// RegisterDynamicSecretDependency by registering
func RegisterDynamicSecretDependency(dep SecretsSubscriber, v SecretsManager, dc chan<- bool) {
spec := dep.GetSubscriptionSpec()
maintainers := []singleSecretMaintainer{}
for _, path := range spec.Paths {
maintainer := singleSecretMaintainer{
path: path,
callbackChan: spec.CallbackChan,
v: v,
doneChan: dc,
}
s, renewable, ttl, err := maintainer.getSecret()
if err != nil {
log.Fatal(err)
}
maintainer.setInitialTTL(ttl)
dep.ReceiveAtStartup(s)
if renewable {
maintainers = append(maintainers, maintainer)
}
}
dep.StartSecretsListener()
for _, mt := range maintainers {
go func(m singleSecretMaintainer) {
m.start()
}(mt)
}
}
type singleSecretMaintainer struct {
path string
callbackChan chan<- UpdatedSecret
v SecretsManager
doneChan chan<- bool
initialTTL time.Duration
}
func (m *singleSecretMaintainer) setInitialTTL(ttl time.Duration) {
m.initialTTL = ttl
}
func (m singleSecretMaintainer) start() {
d := m.initialTTL
for {
w := getWaitDuration(d)
time.Sleep(w)
var renewable bool
d, renewable = m.doIteration()
if !renewable || d <= 0 {
// Exit loop, mostly for testing purposes
if m.doneChan != nil {
m.doneChan <- true
}
return
}
}
}
func (m singleSecretMaintainer) doIteration() (time.Duration, bool) {
us, renewable, ttl, _ := m.getSecret()
m.callbackChan <- us
return ttl, renewable
}
func (m singleSecretMaintainer) getSecret() (UpdatedSecret, bool, time.Duration, error) {
ttl := time.Hour * 8760 // 1 year
renewable := false
secret, err := m.v.GetSecret(m.path)
if err != nil {
log.Printf("Error while getting secret %s :: %v", m.path, err)
return UpdatedSecret{}, false, time.Second * 0, err
}
if secret.IsRenewable() {
renewable = true
ttl = time.Duration(secret.GetLeaseDuration()) * time.Millisecond
}
secrets := map[string]Secret{m.path: secret}
if sp, ok := secret.GetData()["secret-path"]; ok {
innerSecret, err := m.v.GetSecret(prepareSecretPath(sp.(string)))
if err == nil && innerSecret != nil {
secrets[sp.(string)] = innerSecret
if innerSecret.IsRenewable() {
renewable = true
ttl2 := time.Duration(innerSecret.GetLeaseDuration()) * time.Millisecond
if ttl2 < ttl {
ttl = ttl2
}
}
}
}
us := UpdatedSecret{
Path: m.path,
Secrets: secrets,
}
return us, renewable, ttl, nil
}
func prepareSecretPath(p string) string {
if strings.Contains(p, "/kv/data/") {
return p
}
arr := strings.Split(p, "/kv/")
if len(arr) < 2 {
return p
}
return arr[0] + "/kv/data/" + arr[1]
}
func getWaitDuration(d time.Duration) time.Duration {
if d <= tenSecond {
return d
}
return d - tenSecond
}