From e7f80cfeaf1812b7fc27efc31a3f92fe67577e27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Miku=C5=A1=20=28Dasio=29?= Date: Thu, 14 Sep 2023 16:41:41 +0200 Subject: [PATCH 1/3] feat(cache): configurable vault token duration - bumped from 30s to 2min --- controllers/vaultsecret_controller.go | 3 ++- pkg/vault/auth.go | 20 +++++++++++--------- pkg/vault/config.go | 2 ++ 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/controllers/vaultsecret_controller.go b/controllers/vaultsecret_controller.go index 6e2ad62..359440d 100644 --- a/controllers/vaultsecret_controller.go +++ b/controllers/vaultsecret_controller.go @@ -225,7 +225,8 @@ func (r *VaultSecretReconciler) getAuthServiceAccount(vaultSecret k8skiwicomv1.V if err := vaultClient.SetAddress(vaultSecret.Spec.Addr); err != nil { return nil, fmt.Errorf("vault set address: %w", err) } - saAccount = vault.NewAuthServiceAccount(vaultClient, r.K8ClientSet, saRef.Name, vaultSecret.Namespace, saRef.Role, saRef.AuthPath, false) + saAccount = vault.NewAuthServiceAccount(vaultClient, r.K8ClientSet, saRef.Name, vaultSecret.Namespace, saRef.Role, + saRef.AuthPath, false, r.VaultConfig.TokenCacheDuration) r.saCacheMx.Lock() defer r.saCacheMx.Unlock() r.authSACache[id] = saAccount diff --git a/pkg/vault/auth.go b/pkg/vault/auth.go index 0a9cd55..cca7ed6 100644 --- a/pkg/vault/auth.go +++ b/pkg/vault/auth.go @@ -33,6 +33,7 @@ type AuthServiceAccount struct { name string namespace string role string + cachedDuration time.Duration path string vaultClient *vaultApi.Client autoMount bool @@ -43,15 +44,16 @@ type AuthServiceAccount struct { } func NewAuthServiceAccount(vaultClient *vaultApi.Client, k8ClientSet *kubernetes.Clientset, - name, namespace, role, path string, automount bool) *AuthServiceAccount { + name, namespace, role, path string, automount bool, cachedDuration time.Duration) *AuthServiceAccount { return &AuthServiceAccount{ - name: name, - namespace: namespace, - role: role, - path: path, - vaultClient: vaultClient, - autoMount: automount, - k8ClientSet: k8ClientSet, + name: name, + namespace: namespace, + role: role, + path: path, + vaultClient: vaultClient, + autoMount: automount, + k8ClientSet: k8ClientSet, + cachedDuration: cachedDuration, } } func (a *AuthServiceAccount) cachedToken() string { @@ -62,7 +64,7 @@ func (a *AuthServiceAccount) cachedToken() string { func (a *AuthServiceAccount) Token() (string, error) { vaultToken := a.cachedToken() - if vaultToken != "" && time.Now().Add(30*time.Second).Before(a.vaultTokenExpire) { + if vaultToken != "" && time.Now().Add(a.cachedDuration).Before(a.vaultTokenExpire) { return vaultToken, nil } diff --git a/pkg/vault/config.go b/pkg/vault/config.go index a35724d..074b686 100644 --- a/pkg/vault/config.go +++ b/pkg/vault/config.go @@ -25,6 +25,7 @@ type AppConfig struct { Role string `koanf:"role"` DefaultVaultAddr string `koanf:"vault_addr"` MaxConcurrentReconciles int `koanf:"max_concurrent_reconciles"` + TokenCacheDuration time.Duration `koanf:"token_cache_duration"` } func NewAppConfig() (AppConfig, error) { @@ -37,6 +38,7 @@ func NewAppConfig() (AppConfig, error) { "operator_role": "vault-operator", "vault_addr": "http://127.0.0.1:8200", "max_concurrent_reconciles": 5, + "token_cache_duration": time.Minute * 2, }, "."), nil) if err != nil { return cfg, fmt.Errorf("default setting load: %w", err) From 536f218404aa9d988f94bcaf1089f36dd0ddd89f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Miku=C5=A1=20=28Dasio=29?= Date: Thu, 14 Sep 2023 16:50:05 +0200 Subject: [PATCH 2/3] fix(): bump docker image in tests --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ec48926..e4f304e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,11 +34,11 @@ jobs: strategy: matrix: - vaultVer: [ "latest", "1.12.6" ] + vaultVer: [ "latest", "1.14", "1.13", "1.12" ] services: vault: - image: vault:${{ matrix.vaultVer }} + image: docker.io/hashicorp/vault:${{ matrix.vaultVer }} ports: - 8200:8200 options: >- From 771f1a7071bf8ff45b58942836c3a79c781bcdc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Miku=C5=A1=20=28Dasio=29?= Date: Fri, 15 Sep 2023 10:17:39 +0200 Subject: [PATCH 3/3] refactor(): rename config var --- controllers/vaultsecret_controller.go | 2 +- pkg/vault/auth.go | 42 +++++++++++++-------------- pkg/vault/config.go | 4 +-- 3 files changed, 24 insertions(+), 24 deletions(-) diff --git a/controllers/vaultsecret_controller.go b/controllers/vaultsecret_controller.go index 359440d..3650140 100644 --- a/controllers/vaultsecret_controller.go +++ b/controllers/vaultsecret_controller.go @@ -226,7 +226,7 @@ func (r *VaultSecretReconciler) getAuthServiceAccount(vaultSecret k8skiwicomv1.V return nil, fmt.Errorf("vault set address: %w", err) } saAccount = vault.NewAuthServiceAccount(vaultClient, r.K8ClientSet, saRef.Name, vaultSecret.Namespace, saRef.Role, - saRef.AuthPath, false, r.VaultConfig.TokenCacheDuration) + saRef.AuthPath, false, r.VaultConfig.RefreshTokenBefore) r.saCacheMx.Lock() defer r.saCacheMx.Unlock() r.authSACache[id] = saAccount diff --git a/pkg/vault/auth.go b/pkg/vault/auth.go index cca7ed6..4ffa738 100644 --- a/pkg/vault/auth.go +++ b/pkg/vault/auth.go @@ -30,30 +30,30 @@ func (a AuthToken) Token() (string, error) { } type AuthServiceAccount struct { - name string - namespace string - role string - cachedDuration time.Duration - path string - vaultClient *vaultApi.Client - autoMount bool - k8ClientSet *kubernetes.Clientset - cacheMx sync.RWMutex - cachedVaultToken string - vaultTokenExpire time.Time + name string + namespace string + role string + refreshTokenBefore time.Duration + path string + vaultClient *vaultApi.Client + autoMount bool + k8ClientSet *kubernetes.Clientset + cacheMx sync.RWMutex + cachedVaultToken string + vaultTokenExpire time.Time } func NewAuthServiceAccount(vaultClient *vaultApi.Client, k8ClientSet *kubernetes.Clientset, - name, namespace, role, path string, automount bool, cachedDuration time.Duration) *AuthServiceAccount { + name, namespace, role, path string, automount bool, refreshTokenBefore time.Duration) *AuthServiceAccount { return &AuthServiceAccount{ - name: name, - namespace: namespace, - role: role, - path: path, - vaultClient: vaultClient, - autoMount: automount, - k8ClientSet: k8ClientSet, - cachedDuration: cachedDuration, + name: name, + namespace: namespace, + role: role, + path: path, + vaultClient: vaultClient, + autoMount: automount, + k8ClientSet: k8ClientSet, + refreshTokenBefore: refreshTokenBefore, } } func (a *AuthServiceAccount) cachedToken() string { @@ -64,7 +64,7 @@ func (a *AuthServiceAccount) cachedToken() string { func (a *AuthServiceAccount) Token() (string, error) { vaultToken := a.cachedToken() - if vaultToken != "" && time.Now().Add(a.cachedDuration).Before(a.vaultTokenExpire) { + if vaultToken != "" && time.Now().Add(a.refreshTokenBefore).Before(a.vaultTokenExpire) { return vaultToken, nil } diff --git a/pkg/vault/config.go b/pkg/vault/config.go index 074b686..6c7ef36 100644 --- a/pkg/vault/config.go +++ b/pkg/vault/config.go @@ -25,7 +25,7 @@ type AppConfig struct { Role string `koanf:"role"` DefaultVaultAddr string `koanf:"vault_addr"` MaxConcurrentReconciles int `koanf:"max_concurrent_reconciles"` - TokenCacheDuration time.Duration `koanf:"token_cache_duration"` + RefreshTokenBefore time.Duration `koanf:"refresh_token_before"` } func NewAppConfig() (AppConfig, error) { @@ -38,7 +38,7 @@ func NewAppConfig() (AppConfig, error) { "operator_role": "vault-operator", "vault_addr": "http://127.0.0.1:8200", "max_concurrent_reconciles": 5, - "token_cache_duration": time.Minute * 2, + "refresh_token_before": time.Minute * 2, }, "."), nil) if err != nil { return cfg, fmt.Errorf("default setting load: %w", err)