Update plugin, use go 1.16, kubernetes client 0.22.1 and vault sdk 0.…

…2.1 (jetbrains-infra#9) Update plugin, use go 1.16, kubernetes client 0.22.1 and vault sdk 0.2.1
KohlsTechnology · Aug 27, 2021 · fbdfc8f · fbdfc8f
1 parent ec666c0
commit fbdfc8f
Show file tree

Hide file tree

Showing 14 changed files with 764 additions and 100 deletions.
diff --git a/Makefile b/Makefile
@@ -18,12 +18,18 @@ enable-plugin:
 	vault secrets list
 
 list-plugins:
-	vault list sys/plugins/catalog
+	vault read sys/plugins/catalog
 
 configure-plugin:
 	vault write k8s/config token=${TOKEN} api-url=${MASTER_URL} CA=${MASTER_CA}
 	vault read k8s/config
 
+create-sa:
+	vault write k8s/sa/it-deployer namespace=it service-account-name=deployer
+
+get-token:
+	vault read k8s/secrets/it-deployer
+
 up:
 	docker-compose down
 	docker-compose up -d

diff --git a/backend/backend.go b/backend/backend.go
@@ -5,8 +5,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+
 )
 
 type kubeBackend struct {

diff --git a/backend/backend_test.go b/backend/backend_test.go
@@ -5,9 +5,7 @@ import (
 	"testing"
 	"time"
 
-	log "github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/vault/helper/logging"
-	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 const (
@@ -19,7 +17,6 @@ func getTestBackend(t *testing.T) (logical.Backend, logical.Storage) {
 	b := New()
 
 	c := &logical.BackendConfig{
-		Logger: logging.NewVaultLogger(log.Trace),
 		System: &logical.StaticSystemView{
 			DefaultLeaseTTLVal: defaultLeaseTTLHr * time.Hour,
 			MaxLeaseTTLVal:     maxLeaseTTLHr * time.Hour,

diff --git a/backend/path_config.go b/backend/path_config.go
@@ -4,13 +4,16 @@ import (
 	"context"
 	"time"
 
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
+const ConfigStorageKey = "config"
+const ConfigPath = "config"
+
 func pathConfig(b *kubeBackend) *framework.Path {
 	return &framework.Path{
-		Pattern: "config",
+		Pattern: ConfigPath,
 		Fields: map[string]*framework.FieldSchema{
 			"token": {
 				Type:        framework.TypeString,
@@ -37,6 +40,7 @@ func pathConfig(b *kubeBackend) *framework.Path {
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ReadOperation:   b.pathConfigRead,
 			logical.UpdateOperation: b.pathConfigWrite,
+			logical.DeleteOperation: b.pathConfigDelete,
 		},
 
 		HelpSynopsis:    pathConfigHelpSyn,
@@ -72,8 +76,8 @@ func (b *kubeBackend) pathConfigWrite(ctx context.Context, req *logical.Request,
 
 	if cfg == nil {
 		cfg = &config{
-			TTL:    time.Duration(1800 * time.Second),
-			MaxTTL: time.Duration(3600 * time.Second),
+			TTL:    1800 * time.Second,
+			MaxTTL: 3600 * time.Second,
 		}
 	}
 
@@ -104,7 +108,7 @@ func (b *kubeBackend) pathConfigWrite(ctx context.Context, req *logical.Request,
 		cfg.MaxTTL = time.Duration(maxTTLRaw.(int)) * time.Second
 	}
 
-	entry, err := logical.StorageEntryJSON("config", cfg)
+	entry, err := logical.StorageEntryJSON(ConfigStorageKey, cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -116,6 +120,14 @@ func (b *kubeBackend) pathConfigWrite(ctx context.Context, req *logical.Request,
 	return nil, nil
 }
 
+func (b *kubeBackend) pathConfigDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	if err := req.Storage.Delete(ctx, ConfigStorageKey); err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}
+
 type config struct {
 	Token  string
 	APIURL string
@@ -127,7 +139,7 @@ type config struct {
 
 func getConfig(ctx context.Context, s logical.Storage) (*config, error) {
 	var cfg config
-	cfgRaw, err := s.Get(ctx, "config")
+	cfgRaw, err := s.Get(ctx, ConfigStorageKey)
 	if err != nil {
 		return nil, err
 	}

diff --git a/backend/path_config_test.go b/backend/path_config_test.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"testing"
 
-	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 func TestConfig(t *testing.T) {

diff --git a/backend/path_secrets.go b/backend/path_secrets.go
@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 const secretsStoragePrefix = "secrets"
@@ -26,7 +26,7 @@ func pathSecrets(b *kubeBackend) *framework.Path {
 		},
 		// ExistenceCheck: ,
 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.ReadOperation: b.pathSecretsUpdate,
+			logical.ReadOperation:   b.pathSecretsUpdate,
 			logical.UpdateOperation: b.pathSecretsUpdate,
 		},
 		HelpSynopsis:    pathSecretsHelpSyn,

diff --git a/backend/path_secrets_test.go b/backend/path_secrets_test.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 func TestSecretsUpdateNotFound(t *testing.T) {

diff --git a/backend/path_serviceaccounts.go b/backend/path_serviceaccounts.go
@@ -5,8 +5,8 @@ import (
 	"fmt"
 
 	"github.com/hashicorp/errwrap"
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 const (

diff --git a/backend/path_serviceaccounts_test.go b/backend/path_serviceaccounts_test.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 func TestServiceAccountCreate(t *testing.T) {

diff --git a/backend/secret_tokens.go b/backend/secret_tokens.go
@@ -9,12 +9,10 @@ import (
 
 	"github.com/hashicorp/errwrap"
 
-	"github.com/hashicorp/vault/helper/consts"
-
 	"github.com/mitchellh/mapstructure"
 
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
 	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -87,13 +85,13 @@ func (b *kubeBackend) createSecret(ctx context.Context, s logical.Storage, c *co
 		if err != nil {
 			return nil, err
 		}
-		_, err = clientSet.CoreV1().Secrets(sa.Namespace).Create(secret)
+		_, err = clientSet.CoreV1().Secrets(sa.Namespace).Create(ctx, secret, metav1.CreateOptions{})
 		if err != nil {
 			return nil, errwrap.Wrapf("Unable to create secret, {{err}}", err)
 		}
 		// Do 5 tries to get secret, due to it may not generated after first try
 		for range []int{0, 1, 2, 3, 4} {
-			secretResp, err := clientSet.CoreV1().Secrets(sa.Namespace).Get(secret.Name, metav1.GetOptions{})
+			secretResp, err := clientSet.CoreV1().Secrets(sa.Namespace).Get(ctx, secret.Name, metav1.GetOptions{})
 			if err != nil {
 				return nil, errwrap.Wrapf("Unable to get secret, {{err}}", err)
 			}
@@ -171,7 +169,7 @@ func (b *kubeBackend) secretAccessTokenRevoke(ctx context.Context, req *logical.
 	namespace := req.Secret.InternalData["namespace"].(string)
 	name := req.Secret.InternalData["secret-name"].(string)
 
-	err = clientSet.CoreV1().Secrets(namespace).Delete(name, &metav1.DeleteOptions{})
+	err = clientSet.CoreV1().Secrets(namespace).Delete(ctx, name, metav1.DeleteOptions{})
 
 	if err != nil {
 		return nil, err
@@ -180,10 +178,6 @@ func (b *kubeBackend) secretAccessTokenRevoke(ctx context.Context, req *logical.
 }
 
 func (b *kubeBackend) walRollback(ctx context.Context, r *logical.Request, kind string, data interface{}) error {
-	// TODO hashicorp what is this?
-	if !b.System().LocalMount() && b.System().ReplicationState().HasState(consts.ReplicationPerformancePrimary) {
-		return nil
-	}
 	var entry walSecret
 	if err := mapstructure.Decode(data, &entry); err != nil {
 		return err

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,7 @@
-version: '2'
+version: '3'
 services:
   vault:
-    image: vault:1.3.0
+    image: vault:1.3.10
     environment:
       VAULT_LOCAL_CONFIG: '{"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h", "plugin_directory":"/plugin"}'
       VAULT_DEV_ROOT_TOKEN_ID: 123qwe
@@ -12,7 +12,3 @@ services:
       - "8201:8201"
     volumes:
       - "./vault/plugin:/plugin"
-  plugin:
-    image: vault-plugin-secrets-kubernetes
-    build:
-      context: .
diff --git a/go.mod b/go.mod
@@ -1,58 +1,14 @@
 module github.com/jetbrains-infra/vault-plugin-secrets-kubernetes
 
-go 1.13
+go 1.16
 
 require (
-	github.com/SermoDigital/jose v0.9.2-0.20180104203859-803625baeddc
-	github.com/armon/go-radix v1.0.0
-	github.com/davecgh/go-spew v1.1.1
-	github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680
-	github.com/gogo/protobuf v0.0.0-20170330071051-c0656edd0d9e
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/golang/protobuf v1.2.0
-	github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db
-	github.com/google/btree v0.0.0-20160524151835-7d79101e329e
-	github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367
-	github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d
-	github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7
-	github.com/grpc/grpc-go v1.14.0
-	github.com/hashicorp/errwrap v1.0.0
-	github.com/hashicorp/go-cleanhttp v0.5.0
-	github.com/hashicorp/go-hclog v0.0.0-20181001195459-61d530d6c27f
-	github.com/hashicorp/go-immutable-radix v1.0.0
-	github.com/hashicorp/go-multierror v1.0.0
-	github.com/hashicorp/go-plugin v0.0.0-20181030172320-54b6ff97d818
-	github.com/hashicorp/go-retryablehttp v0.5.0
-	github.com/hashicorp/go-rootcerts v0.0.0-20160503143440-6bb64b370b90
-	github.com/hashicorp/go-sockaddr v0.0.0-20180320115054-6d291a969b86
-	github.com/hashicorp/go-uuid v1.0.0
-	github.com/hashicorp/go-version v1.0.0
-	github.com/hashicorp/golang-lru v0.5.0
-	github.com/hashicorp/hcl v1.0.1-0.20180906183839-65a6292f0157
-	github.com/hashicorp/vault v0.11.3
-	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d
-	github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3
-	github.com/mitchellh/go-homedir v1.0.0
-	github.com/mitchellh/go-testing-interface v1.0.0
-	github.com/mitchellh/mapstructure v1.1.2
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
-	github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da
-	github.com/oklog/run v1.0.1-0.20180308005104-6934b124db28
-	github.com/peterbourgon/diskv v2.0.1+incompatible
-	github.com/pierrec/lz4 v1.0.2-0.20181027085611-623b5a2f4d2a
-	github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735
-	golang.org/x/crypto v0.0.0-20180808211826-de0752318171
-	golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3 // indirect
-	golang.org/x/net v0.0.0-20181106065722-10aee1819953
-	golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be
-	golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b
-	golang.org/x/text v0.3.0
-	golang.org/x/time v0.0.0-20161028155119-f51c12702a4d
-	google.golang.org/genproto v0.0.0-20181109154231-b5d43981345b
-	google.golang.org/grpc v1.16.0
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.0.0-20170721113624-670d4cfef054
-	k8s.io/api v0.0.0-20181004124137-fd83cbc87e76
-	k8s.io/apimachinery v0.0.0-20180913025736-6dd46049f395
-	k8s.io/client-go v9.0.0+incompatible
+	github.com/hashicorp/errwrap v1.1.0
+	github.com/hashicorp/go-hclog v0.16.1
+	github.com/hashicorp/vault/api v1.1.1
+	github.com/hashicorp/vault/sdk v0.2.1
+	github.com/mitchellh/mapstructure v1.3.2
+	k8s.io/api v0.22.1
+	k8s.io/apimachinery v0.22.1
+	k8s.io/client-go v0.22.1
 )