Add label support (#6)

* Updated go rancher

* Handle error and don't send

* enable label filter applied

* added debug flag

* adding k8s labels

* added k8s type and labels

* added debug logging

* added debug logging

agent/agent.go

@@ -42,12 +42,12 @@ func StartAgent(c *cli.Context) {
 
 	logrus.Info("Entering event listening Loop")
 	d := json.NewDecoder(eventsResp)
-	var msg events.Message
 	for {
-		d.Decode(&msg)
+		msg := &events.Message{}
+		d.Decode(msg)
 
 		// For now... will need to add some throttling at some point.
-		go handler.Handle(&msg)
+		go handler.Handle(msg)
 	}
 
 	os.Exit(0)

agent/handle.go

@@ -15,17 +15,17 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/docker/engine-api/client"
 	"github.com/docker/engine-api/types/events"
 	"github.com/rancher/go-rancher-metadata/metadata"
 	"github.com/rancher/secrets-bridge/writer"
 )
 
 type ContainerEventMessage struct {
-	Event  *events.Message
-	UUID   string `json:"UUID"`
-	Action string `json:"Action"`
-	Host   string `json:"Host"`
+	Event         *events.Message
+	UUID          string `json:"UUID"`
+	Action        string `json:"Action"`
+	Host          string `json:"Host"`
+	ContainerType string `json:"container_type"`
 }
 
 type VaultResponseThing struct {
@@ -83,6 +83,9 @@ func NewMessageHandler(opts map[string]interface{}) (MessageHandler, error) {
 
 func (j *JsonHandler) Handle(msg *events.Message) error {
 	message, err := j.buildRequestMessage(msg)
+	if err != nil {
+		return err
+	}
 
 	jMsg, err := json.Marshal(message)
 	if err != nil {
@@ -105,22 +108,46 @@ func (j *JsonHandler) Handle(msg *events.Message) error {
 	decoder := json.NewDecoder(resp.Body)
 	decoder.Decode(&vaultThing)
 
+	logrus.Debugf("Got Response: %#v", vaultThing)
+
 	err = writeResponse(&vaultThing)
 	if err != nil {
+		logrus.Errorf("Error: writing response to %s", vaultThing.ExternalId)
+		logrus.Error(err)
 		return err
 	}
 
 	return nil
 }
 
 func (j *JsonHandler) buildRequestMessage(msg *events.Message) (*ContainerEventMessage, error) {
-	message := &ContainerEventMessage{}
-	logrus.Infof("Received action: %s, from container: %s", msg.Action, msg.ID)
+	message := &ContainerEventMessage{
+		ContainerType: "cattle",
+	}
+
+	nameKey := "name"
+	logrus.Debugf("Received action: %s, from container: %s", msg.Action, msg.ID)
+
+	if _, ok := msg.Actor.Attributes["io.kubernetes.pod.namespace"]; ok {
+		logrus.Debugf("Container type is Kubernetes")
+
+		if !j.checkForK8sSecretsLabel(msg) {
+			return message, errors.New("Secrets bridge key not found")
+		}
+		message.ContainerType = "kubernetes"
+		nameKey = "io.kubernetes.pod.name"
+	}
+
+	if message.ContainerType == "cattle" {
+		if val, ok := msg.Actor.Attributes["secrets.bridge.enabled"]; !ok || val != "true" {
+			return message, errors.New("Secrets bridge not enabled")
+		}
+	}
 
 	message.Event = msg
 	message.Action = msg.Action
 
-	uuid, err := j.getUUIDFromMetadata(message.Event.Actor.Attributes["name"])
+	uuid, err := j.getUUIDFromMetadata(message.Event.Actor.Attributes[nameKey])
 	if err != nil {
 		return message, err
 	}
@@ -131,6 +158,8 @@ func (j *JsonHandler) buildRequestMessage(msg *events.Message) (*ContainerEventM
 		return message, err
 	}
 
+	logrus.Debugf("Packaged Message: %#v", message)
+
 	return message, nil
 }
 
@@ -165,8 +194,7 @@ func (j *JsonHandler) postRequestToSecretBridge(buffer *bytes.Buffer) (*http.Res
 }
 
 func writeResponse(message *VaultResponseThing) error {
-	defaultHeaders := map[string]string{"User-Agent": "engine-api-cli-1.0"}
-	cli, err := client.NewClient("unix:///var/run/docker.sock", "v1.22", nil, defaultHeaders)
+	cli, err := getDockerClient()
 	if err != nil {
 		logrus.Fatal(err)
 	}
@@ -192,9 +220,10 @@ func formatMessage(message *VaultResponseThing) string {
 
 func (j *JsonHandler) getUUIDFromMetadata(name string) (string, error) {
 	var uuid string
+	logrus.Debugf("Received: %s as a container name", name)
 
-	// I feel like this is going to be a problem some day.
 	name = strings.Replace(name, "r-", "", 1)
+	logrus.Debugf("Using: %s as a container name", name)
 
 	containers, err := j.metadataCli.GetContainers()
 	if err != nil {
@@ -210,8 +239,40 @@ func (j *JsonHandler) getUUIDFromMetadata(name string) (string, error) {
 	}
 
 	if uuid == "" {
+		logrus.Debugf("No UUID Found")
 		return uuid, errors.New("No UUID found")
 	}
+	logrus.Debugf("UUID: %s found", uuid)
 
 	return uuid, nil
 }
+
+func (j *JsonHandler) checkForK8sSecretsLabel(msg *events.Message) bool {
+	enabled := false
+	var labels map[string]string
+
+	name := msg.Actor.Attributes["io.kubernetes.pod.name"]
+	logrus.Debugf("Pod Name: %s", name)
+
+	containers, err := j.metadataCli.GetContainers()
+	if err != nil {
+		return enabled
+	}
+
+	for _, container := range containers {
+		if container.Name == name {
+			labels = container.Labels
+			break
+		}
+	}
+
+	logrus.Debugf("Labels found: %#v", labels)
+
+	if secretEnabled, ok := labels["secrets.bridge.enabled"]; ok {
+		if secretEnabled == "true" {
+			enabled = true
+		}
+	}
+
+	return enabled
+}

bridge/server.go

@@ -115,7 +115,8 @@ func messageHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if t.Action == "start" {
+	if t.Action == "start" && t.UUID != "" {
+		logrus.Debugf("Received start event for container UUID: %s", t.UUID)
 		if err := ContainerStart(w, t); err != nil {
 			logrus.Errorf("Unverified: %s", err)
 			w.WriteHeader(http.StatusNotFound)
@@ -156,9 +157,10 @@ func ContainerStart(w http.ResponseWriter, msg *types.Message) error {
 		}
 	}
 
-	logrus.Infof("VerifiedObj: %#v", verifiedObj)
-	logrus.Infof("VerifiedObj Path: %s", verifiedObj.Path())
-	logrus.Infof("VerifiedObj ID: %s", verifiedObj.ID())
+	logrus.Debugf("VerifiedObj: %#v", verifiedObj)
+	logrus.Debugf("VerifiedObj Path: %s", verifiedObj.Path())
+	logrus.Debugf("VerifiedObj ID: %s", verifiedObj.ID())
+	logrus.Debugf("TempKey ID: %s", tempKey)
 
 	// ToDo: get a verified container object
 	// This is not very generic...

main.go

@@ -3,14 +3,28 @@ package main
 import (
 	"os"
 
+	"github.com/Sirupsen/logrus"
 	"github.com/rancher/secrets-bridge/cmd"
 	"github.com/urfave/cli"
 )
 
+func beforeApp(c *cli.Context) error {
+	if c.GlobalBool("debug") {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	return nil
+}
+
 func main() {
 	app := cli.NewApp()
 	app.Name = "secrets-bridge"
 	app.Usage = "Bridge containers with a secret"
+	app.Before = beforeApp
+	app.Flags = []cli.Flag{
+		cli.BoolFlag{
+			Name: "debug,d",
+		},
+	}
 
 	app.Commands = []cli.Command{
 		cmd.ServerCommand(),

trash.yml

@@ -36,9 +36,9 @@ import:
 - package: github.com/opencontainers/runc
   version: ae0fc15b1e969b06fa575638d234feaa1596d69c
 - package: github.com/rancher/go-rancher
-  version: c21ad7797bc727e5fe65ae85d1be714845ce415c
+  version: 8e54b49532eca88e1bed40dcf0c7d29ddfe5a630
 - package: github.com/rancher/go-rancher-metadata
-  version: 802039712650f3d2035179ec6c416093e58efa29
+  version: 524187cee8326c13b4d85b0a237b4f89653d76c4
 - package: github.com/rancher/trash
   version: 8c623b6961c66b566a73e05c588235d6b88afefe
 - package: github.com/Sirupsen/logrus

types/types.go

@@ -3,8 +3,9 @@ package types
 import "github.com/docker/engine-api/types/events"
 
 type Message struct {
-	Event  *events.Message
-	UUID   string
-	Action string
-	Host   string
+	Event         *events.Message
+	UUID          string `json:"UUID"`
+	Action        string `json:"Action"`
+	Host          string `json:"Host"`
+	ContainerType string `json:"container_type"`
 }

vault/cubbyhole.go

@@ -23,7 +23,7 @@ type CubbyHoleKeys struct {
 func NewCubbyhole(client *VaultClient, cubbyConfig *CubbyHoleConfig) (*CubbyHoleKeys, error) {
 	metadata := make(map[string]string)
 
-	logrus.Infof("Getting Temp Token")
+	logrus.Debugf("Getting temp token for path: %s", cubbyConfig.Path)
 	tempToken, err := createVaultToken(client, &api.TokenCreateRequest{
 		ID:              "",
 		Policies:        []string{"default"},
@@ -43,7 +43,7 @@ func NewCubbyhole(client *VaultClient, cubbyConfig *CubbyHoleConfig) (*CubbyHole
 	if err != nil {
 		return nil, err
 	}
-	logrus.Infof("Got policies: %s", policies)
+	logrus.Debugf("Got policies: %s", policies)
 
 	if len(policies) == 0 {
 		return nil, errors.New("No policies to attach")

vault/vault.go

@@ -131,7 +131,6 @@ func (vc *VaultClient) manageIssuingTokenRefresh() {
 				logrus.Fatal("Issuing token has no TTL, has it expired")
 			}
 
-			logrus.Infof("Scheduling refreshes for token every: %d", remainingTime)
 			go scheduleTimer(calculateRefreshDuration(remainingTime), renewalChannel)
 
 			for {
@@ -140,7 +139,7 @@ func (vc *VaultClient) manageIssuingTokenRefresh() {
 					logrus.Infof("Processing issuing token renewal")
 					renewedSecret, err := vc.VClient.Auth().Token().RenewSelf(renewalIncrement)
 					if err != nil {
-						logrus.Errorf("Could not renew token: %s", err)
+						logrus.Fatalf("Could not renew token: %s", err)
 					}
 
 					remainingTime, err = getSecretAuthTTL(renewedSecret.Auth)
@@ -188,14 +187,17 @@ func getSecretAuthTTL(secret *api.SecretAuth) (int, error) {
 }
 
 func calculateRefreshDuration(remainingTime int) int {
+	// this is hacky and could DDoS vault, but if its within 3 minutes... renew now
+	refresh := 1
+
 	if remainingTime > 180 {
-		return remainingTime - 180
+		refresh = remainingTime - 180
 	}
-	// this is hacky and could DDoS vault, but if its within 3 minutes... renew now
-	return 1
+	return refresh
 }
 
 func scheduleTimer(duration int, notify chan bool) {
+	logrus.Debugf("Scheduling refresh timer for: %d", duration)
 	for {
 		time.Sleep(time.Duration(duration) * time.Second)
 		notify <- true