Remove HCP Link from OpenBao

HCP Link is a service to link local Vault Enterprise instances to
HashiCorp's HCP cloud offering. This isn't useful for consumers of
OpenBao and we do not wish to have to maintain it. Thus, removal is
most prudent.

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>

Makefile

@@ -230,7 +230,6 @@ proto: bootstrap
 	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative sdk/plugin/pb/*.proto
 	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative vault/tokens/token.proto
 	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative sdk/helper/pluginutil/*.proto
-	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative vault/hcp_link/proto/*/*.proto
 
 	# No additional sed expressions should be added to this list. Going forward
 	# we should just use the variable names choosen by protobuf. These are left

api/sys_seal.go

@@ -96,23 +96,21 @@ func sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*Sea
 }
 
 type SealStatusResponse struct {
-	Type              string   `json:"type"`
-	Initialized       bool     `json:"initialized"`
-	Sealed            bool     `json:"sealed"`
-	T                 int      `json:"t"`
-	N                 int      `json:"n"`
-	Progress          int      `json:"progress"`
-	Nonce             string   `json:"nonce"`
-	Version           string   `json:"version"`
-	BuildDate         string   `json:"build_date"`
-	Migration         bool     `json:"migration"`
-	ClusterName       string   `json:"cluster_name,omitempty"`
-	ClusterID         string   `json:"cluster_id,omitempty"`
-	RecoverySeal      bool     `json:"recovery_seal"`
-	StorageType       string   `json:"storage_type,omitempty"`
-	HCPLinkStatus     string   `json:"hcp_link_status,omitempty"`
-	HCPLinkResourceID string   `json:"hcp_link_resource_ID,omitempty"`
-	Warnings          []string `json:"warnings,omitempty"`
+	Type         string   `json:"type"`
+	Initialized  bool     `json:"initialized"`
+	Sealed       bool     `json:"sealed"`
+	T            int      `json:"t"`
+	N            int      `json:"n"`
+	Progress     int      `json:"progress"`
+	Nonce        string   `json:"nonce"`
+	Version      string   `json:"version"`
+	BuildDate    string   `json:"build_date"`
+	Migration    bool     `json:"migration"`
+	ClusterName  string   `json:"cluster_name,omitempty"`
+	ClusterID    string   `json:"cluster_id,omitempty"`
+	RecoverySeal bool     `json:"recovery_seal"`
+	StorageType  string   `json:"storage_type,omitempty"`
+	Warnings     []string `json:"warnings,omitempty"`
 }
 
 type UnsealOpts struct {

command/format.go

@@ -356,12 +356,6 @@ func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, da
 		out = append(out, fmt.Sprintf("Cluster ID | %s", status.ClusterID))
 	}
 
-	// Output if HCP link is configured
-	if status.HCPLinkStatus != "" {
-		out = append(out, fmt.Sprintf("HCP Link Status | %s", status.HCPLinkStatus))
-		out = append(out, fmt.Sprintf("HCP Link Resource ID | %s", status.HCPLinkResourceID))
-	}
-
 	// Output if HA is enabled
 	out = append(out, fmt.Sprintf("HA Enabled | %t", status.HAEnabled))
 

command/operator_diagnose.go

@@ -35,7 +35,6 @@ import (
 	srconsul "github.com/openbao/openbao/serviceregistration/consul"
 	"github.com/openbao/openbao/vault"
 	"github.com/openbao/openbao/vault/diagnose"
-	"github.com/openbao/openbao/vault/hcp_link"
 	"github.com/openbao/openbao/version"
 	"github.com/posener/complete"
 )
@@ -712,48 +711,6 @@ SEALFAIL:
 		return nil
 	})
 
-	// Checking HCP link to make sure Vault could connect to SCADA.
-	// If it could not connect to SCADA in 5 seconds, diagnose reports an issue
-	if !constants.IsEnterprise {
-		diagnose.Skipped(ctx, "HCP link check will not run on OSS Vault.")
-	} else {
-		if config.HCPLinkConf != nil {
-			// we need to override API and Passthrough capabilities
-			// as they could not be initialized when Vault http handler
-			// is not fully initialized
-			config.HCPLinkConf.EnablePassThroughCapability = false
-			config.HCPLinkConf.EnableAPICapability = false
-
-			diagnose.Test(ctx, "Check HCP Connection", func(ctx context.Context) error {
-				hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, vaultCore, server.logger)
-				if err != nil || hcpLink == nil {
-					return fmt.Errorf("failed to start HCP link, %w", err)
-				}
-
-				// check if a SCADA session is established successfully
-				deadline := time.Now().Add(5 * time.Second)
-				linkSessionStatus := "disconnected"
-				for time.Now().Before(deadline) {
-					linkSessionStatus = hcpLink.GetConnectionStatusMessage(hcpLink.GetScadaSessionStatus())
-					if linkSessionStatus == "connected" {
-						break
-					}
-					time.Sleep(500 * time.Millisecond)
-				}
-				if linkSessionStatus != "connected" {
-					return fmt.Errorf("failed to connect to HCP in 5 seconds. HCP session status is: %s", linkSessionStatus)
-				}
-
-				err = hcpLink.Shutdown()
-				if err != nil {
-					return fmt.Errorf("failed to shutdown HCP link: %w", err)
-				}
-
-				return nil
-			})
-		}
-	}
-
 	return nil
 }
 

command/server.go

@@ -58,7 +58,6 @@ import (
 	"github.com/openbao/openbao/sdk/physical"
 	sr "github.com/openbao/openbao/serviceregistration"
 	"github.com/openbao/openbao/vault"
-	"github.com/openbao/openbao/vault/hcp_link"
 	vaultseal "github.com/openbao/openbao/vault/seal"
 	"github.com/openbao/openbao/version"
 	"github.com/pkg/errors"
@@ -1426,17 +1425,6 @@ func (c *ServerCommand) Run(args []string) int {
 		info["fips"] = fipsStatus
 	}
 
-	if config.HCPLinkConf != nil {
-		infoKeys = append(infoKeys, "HCP organization")
-		info["HCP organization"] = config.HCPLinkConf.Resource.Organization
-
-		infoKeys = append(infoKeys, "HCP project")
-		info["HCP project"] = config.HCPLinkConf.Resource.Project
-
-		infoKeys = append(infoKeys, "HCP resource ID")
-		info["HCP resource ID"] = config.HCPLinkConf.Resource.ID
-	}
-
 	infoKeys = append(infoKeys, "administrative namespace")
 	info["administrative namespace"] = config.AdministrativeNamespacePath
 
@@ -1510,14 +1498,6 @@ func (c *ServerCommand) Run(args []string) int {
 		return 1
 	}
 
-	hcpLogger := c.logger.Named("hcp-connectivity")
-	hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, core, hcpLogger)
-	if err != nil {
-		c.logger.Error("failed to establish HCP connection", "error", err)
-	} else if hcpLink != nil {
-		c.logger.Trace("established HCP connection")
-	}
-
 	if c.flagTestServerConfig {
 		return 0
 	}
@@ -1656,12 +1636,6 @@ func (c *ServerCommand) Run(args []string) int {
 			// Setting log request with the new value in the config after reload
 			core.ReloadLogRequestsLevel()
 
-			// reloading HCP link
-			hcpLink, err = c.reloadHCPLink(hcpLink, config, core, hcpLogger)
-			if err != nil {
-				c.logger.Error(err.Error())
-			}
-
 			// Reload log level for loggers
 			if config.LogLevel != "" {
 				level, err := loghelper.ParseLogLevel(config.LogLevel)
@@ -1783,12 +1757,6 @@ func (c *ServerCommand) Run(args []string) int {
 	// Stop the listeners so that we don't process further client requests.
 	c.cleanupGuard.Do(listenerCloseFunc)
 
-	if hcpLink != nil {
-		if err := hcpLink.Shutdown(); err != nil {
-			c.UI.Error(fmt.Sprintf("Error with HCP Link shutdown: %v", err.Error()))
-		}
-	}
-
 	// Finalize will wait until after Vault is sealed, which means the
 	// request forwarding listeners will also be closed (and also
 	// waited for).
@@ -1834,31 +1802,6 @@ func (c *ServerCommand) configureLogging(config *server.Config) (hclog.Intercept
 	return loghelper.Setup(logCfg, c.logWriter)
 }
 
-func (c *ServerCommand) reloadHCPLink(hcpLinkVault *hcp_link.HCPLinkVault, conf *server.Config, core *vault.Core, hcpLogger hclog.Logger) (*hcp_link.HCPLinkVault, error) {
-	// trigger a shutdown
-	if hcpLinkVault != nil {
-		err := hcpLinkVault.Shutdown()
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if conf.HCPLinkConf == nil {
-		// if cloud stanza is not configured, we should not show anything
-		// in the seal-status related to HCP link
-		core.SetHCPLinkStatus("", "")
-		return nil, nil
-	}
-
-	// starting HCP link
-	hcpLink, err := hcp_link.NewHCPLink(conf.HCPLinkConf, core, hcpLogger)
-	if err != nil {
-		return nil, fmt.Errorf("failed to restart HCP Link and it is no longer running, %w", err)
-	}
-
-	return hcpLink, nil
-}
-
 func (c *ServerCommand) notifySystemd(status string) {
 	sent, err := systemd.SdNotify(false, status)
 	if err != nil {

go.mod

@@ -22,8 +22,6 @@ replace github.com/openbao/openbao/api/auth/userpass => ./api/auth/userpass
 
 replace github.com/openbao/openbao/sdk => ./sdk
 
-replace github.com/openbao/openbao/vault/hcp_link/proto => ./vault/hcp_link/proto
-
 require (
 	cloud.google.com/go/monitoring v1.15.1
 	cloud.google.com/go/spanner v1.47.0
@@ -107,9 +105,6 @@ require (
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/hashicorp/hcl v1.0.1-vault-5
 	github.com/hashicorp/hcl/v2 v2.16.2
-	github.com/hashicorp/hcp-link v0.2.1
-	github.com/hashicorp/hcp-scada-provider v0.2.3
-	github.com/hashicorp/hcp-sdk-go v0.77.0
 	github.com/hashicorp/nomad/api v0.0.0-20230519153805-2275a83cbfdf
 	github.com/hashicorp/raft v1.3.10
 	github.com/hashicorp/raft-autopilot v0.2.0
@@ -180,7 +175,6 @@ require (
 	github.com/openbao/openbao/api/auth/approle v0.1.0
 	github.com/openbao/openbao/api/auth/userpass v0.1.0
 	github.com/openbao/openbao/sdk v0.9.2
-	github.com/openbao/openbao/vault/hcp_link/proto v0.0.0-00010101000000-000000000000
 	github.com/oracle/oci-go-sdk v24.3.0+incompatible
 	github.com/ory/dockertest v3.3.5+incompatible
 	github.com/ory/dockertest/v3 v3.10.0
@@ -344,17 +338,9 @@ require (
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.4 // indirect
 	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.26.0 // indirect
-	github.com/go-openapi/spec v0.20.9 // indirect
-	github.com/go-openapi/strfmt v0.21.7 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-openapi/validate v0.22.2 // indirect
-	github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect
 	github.com/goccy/go-json v0.10.0 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/gofrs/uuid v4.3.0+incompatible // indirect
@@ -381,14 +367,12 @@ require (
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.0 // indirect
 	github.com/hashicorp/go-kms-wrapping/v2 v2.0.8 // indirect
-	github.com/hashicorp/go-msgpack/v2 v2.0.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0 // indirect
 	github.com/hashicorp/go-slug v0.11.1 // indirect
 	github.com/hashicorp/go-tfe v1.25.1 // indirect
 	github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
 	github.com/hashicorp/mdns v1.0.4 // indirect
-	github.com/hashicorp/net-rpc-msgpackrpc/v2 v2.0.0 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/hashicorp/vault/api v1.9.2 // indirect
 	github.com/hashicorp/vault/api/auth/kubernetes v0.4.1 // indirect
@@ -437,7 +421,6 @@ require (
 	github.com/miekg/dns v1.1.43 // indirect
 	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
 	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
-	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/mitchellh/pointerstructure v1.2.1 // indirect
 	github.com/moby/patternmatcher v0.5.0 // indirect
@@ -451,7 +434,6 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nicolai86/scaleway-sdk v1.10.2-0.20180628010248-798f60e20bb2 // indirect
 	github.com/nwaples/rardecode v1.1.2 // indirect
-	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect
 	github.com/opencontainers/runc v1.1.6 // indirect
@@ -471,7 +453,6 @@ require (
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/snowflakedb/gosnowflake v1.6.24 // indirect
 	github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
 	github.com/sony/gobreaker v0.5.0 // indirect