Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

agent: persistent caching support #10938

Merged
merged 31 commits into from
Mar 3, 2021
Merged

agent: persistent caching support #10938

merged 31 commits into from
Mar 3, 2021

Conversation

tvoran
Copy link
Member

@tvoran tvoran commented Feb 18, 2021
edited
Loading

Adds the option of a write-through cache to the agent, backed by boltdb, with the aim of preserving the renewal of leases and tokens across agent restarts.

This functionality is configured through a new persist stanza within the cache portion of the vault agent config file:

cache {
  persist "kubernetes" {
    path = "/path/to/db/"
    exit_on_err = false
    keep_after_import = false
    service_account_token_file = "/path/to/jwt"
}

  • The persist type specifies the key protection scheme to use for the key encrypting/decrypting the persisted data. Currently "kubernetes" is supported, where the encryption key is saved in the boltdb, using the service account jwt as the AAD (extra data) used to encrypt and decrypt.

    • service_account_token_file is optional, and defaults to "/var/run/secrets/kubernetes.io/serviceaccount/token"

  • The path parameter is required, and is the file system location to write the cache db file. The file name for the cache file is vault-agent-cache.db. So in the above example the full file and path would be /path/to/db/vault-agent-cache.db.

    • If the db file exists at path when the agent starts, anything in the db file will be imported into the vault-agent in-memory cache. Otherwise a new db file is created.

  • If keep_after_import = false, the db file will then be deleted after importing, and agent tokens and secrets will only be cached in memory.

  • If exit_on_err = true, errors during import of an existing db cache will cause the agent to exit.

The bolt db is laid out in multiple buckets:

  • The "meta" bucket contains a version: 1 entry for use in the future if migrations are required. It also contains the most recent auto-auth token cached by the agent, and the key material used to decrypt and restore an existing cache. This key material may either be the key, or some other token used to retrieve the key.
  • There are three buckets for the different cached item types: "token", "auth-lease", and "secret-lease". They're separated this way due to dependencies during the restore process (e.g. secret-leases depend on token's and auto-lease's).

@tvoran
persistent caching support in the agent
49ce6e6 
Adds the option of a write-through cache, backed by boltdb
@tvoran tvoran force-pushed the persist-agent-cache branch from b003bfb to 49ce6e6 Compare February 18, 2021 02:55
@vercel vercel bot temporarily deployed to Preview – vault February 18, 2021 02:56 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 18, 2021 02:56 Inactive
@jasonodonnell jasonodonnell self-requested a review February 18, 2021 14:05
jasonodonnell
jasonodonnell reviewed Feb 18, 2021
View reviewed changes
command/agent.go Outdated Show resolved Hide resolved
@tvoran tvoran requested review from calvn and tomhjp February 18, 2021 19:14
@tvoran tvoran changed the title persistent caching support in the agent agent: persistent caching support Feb 18, 2021
tvoran and others added 2 commits February 18, 2021 17:10
@vercel vercel bot temporarily deployed to Preview – vault February 19, 2021 01:41 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 19, 2021 01:41 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 19, 2021 01:56 Inactive
@vercel vercel bot temporarily deployed to Preview – vault February 19, 2021 01:56 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 19, 2021 05:38 Inactive
@vercel vercel bot temporarily deployed to Preview – vault February 19, 2021 05:38 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 19, 2021 18:50 Inactive
@vercel vercel bot temporarily deployed to Preview – vault February 19, 2021 18:50 Inactive
@vercel vercel bot temporarily deployed to Preview – vault February 26, 2021 20:30 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 26, 2021 20:30 Inactive
@jasonodonnell @calvn
Add extra check for persistent cache when routing templating (#11021)
e6ede87 
* Gate routing template through cache

* Fix tests

* Update changelog

* Update changelog/10927.txt

Co-authored-by: Calvin Leung Huang <[email protected]>

Co-authored-by: Calvin Leung Huang <[email protected]>
@vercel vercel bot temporarily deployed to Preview – vault February 26, 2021 21:39 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 26, 2021 21:39 Inactive
calvn
calvn reviewed Feb 27, 2021
View reviewed changes
command/agent/cache/cacheboltdb/bolt.go
AuthLeaseType = "auth-lease"

// TokenType - Bucket/type for auto-auth tokens
TokenType = "token"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this bucket is carved out for the auto-auth token, but can that be stored in the root directly?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps? Though I left it as a separate bucket since this is how the cachememdb behaves, namely old auto-auth tokens are not removed if a new one comes in, and they aren't expired. So I added this bucket out of abundance of caution, in case a lease that needed to be restored relied on a previous auto-auth token.

@vercel vercel bot temporarily deployed to Preview – vault February 27, 2021 04:37 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 27, 2021 04:37 Inactive
@tvoran
moved the retrieval token into the root bucket
423e3e1 
Since we're not rotating root buckets or anything, no need to have a
separate storage area.
@tvoran
rename root bucket to 'meta' and flatten layout
deb0e70 
The sub-buckets off root were no longer necessary, so renamed "root"
to "meta" and moved the other token and lease buckets up so they're
all at the top level.
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 27, 2021 05:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault February 27, 2021 05:44 Inactive
calvn
calvn reviewed Mar 2, 2021
View reviewed changes
command/agent.go Outdated Show resolved Hide resolved
@tvoran
minor refactoring from review feedback
cee5bfb 
Moved getServiceAccountJWT() to agent, renamed and made
LeaseCache.restoreLeaseRenewCtx() private, and checking for unexpected
type in LeaseCache.hasExpired().
@vercel vercel bot temporarily deployed to Preview – vault March 3, 2021 02:12 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook March 3, 2021 02:12 Inactive
@jasonodonnell jasonodonnell self-requested a review March 3, 2021 20:19
@tvoran tvoran merged commit ebcdae1 into master Mar 3, 2021
@tvoran tvoran deleted the persist-agent-cache branch March 3, 2021 22:01
@tvoran tvoran mentioned this pull request Mar 10, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell approved these changes

@calvn calvn calvn approved these changes

@tomhjp tomhjp Awaiting requested review from tomhjp

Assignees
No one assigned
Labels
agent ecosystem
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tvoran @calvn @jasonodonnell