Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HCP link integration #16939

Merged
merged 8 commits into from
Sep 6, 2022
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .circleci/config.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion .circleci/config/commands/configure-git.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
steps:
- add_ssh_keys:
fingerprints:
- "0e:03:77:f4:e2:c3:56:c2:53:6a:03:e1:31:91:2f:06"
# "CircleCI Additional SSH Key" associated with hc-github-team-secure-vault-core GitHub user
- "b8:e2:38:f8:5b:1b:82:f3:1f:23:fa:46:6e:95:e7:e9"
- run: |
git config --global url."[email protected]:".insteadOf https://github.com/
30 changes: 16 additions & 14 deletions api/sys_seal.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,20 +93,22 @@ func sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*Sea
}

type SealStatusResponse struct {
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
Type string `json:"type"`
Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"`
T int `json:"t"`
N int `json:"n"`
Progress int `json:"progress"`
Nonce string `json:"nonce"`
Version string `json:"version"`
BuildDate string `json:"build_date"`
Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
}

type UnsealOpts struct {
Expand Down
6 changes: 6 additions & 0 deletions command/format.go
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,12 @@ func (t TableFormatter) OutputSealStatusStruct(ui cli.Ui, secret *api.Secret, da
out = append(out, fmt.Sprintf("Cluster ID | %s", status.ClusterID))
}

// Output if HCP link is configured
if status.HCPLinkStatus != "" {
out = append(out, fmt.Sprintf("HCP Link Status | %s", status.HCPLinkStatus))
out = append(out, fmt.Sprintf("HCP Link Resource ID | %s", status.HCPLinkResourceID))
}

// Output if HA is enabled
out = append(out, fmt.Sprintf("HA Enabled | %t", status.HAEnabled))

Expand Down
45 changes: 45 additions & 0 deletions command/operator_diagnose.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
srconsul "github.com/hashicorp/vault/serviceregistration/consul"
"github.com/hashicorp/vault/vault"
"github.com/hashicorp/vault/vault/diagnose"
"github.com/hashicorp/vault/vault/hcp_link"
"github.com/mitchellh/cli"
"github.com/posener/complete"
)
Expand Down Expand Up @@ -711,6 +712,50 @@ SEALFAIL:
}
return nil
})

// Checking HCP link to make sure Vault could connect to SCADA.
// If it could not connect to SCADA in 5 seconds, diagnose reports an issue
if !constants.IsEnterprise {
diagnose.Skipped(ctx, "HCP link check will not run on OSS Vault.")
} else {
if config.HCPLinkConf != nil {
diagnose.Test(ctx, "Check HCP Connection", func(ctx context.Context) error {
diagnose.Test(ctx, "Cloud config", func(ctx context.Context) error {
if config.HCPLinkConf.AuthURL != "" {
diagnose.Warn(ctx, "cloud config stanza contains auth_url. Note that auth_url is primarily used for dev/testing work")
}
return nil
})

hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, vaultCore, server.logger)
if err != nil || hcpLink == nil {
return fmt.Errorf("failed to start HCP link, %w", err)
}

// check if a SCADA session is established successfully
deadline := time.Now().Add(5 * time.Second)
linkSessionStatus := "disconnected"
for time.Now().Before(deadline) {
linkSessionStatus = hcpLink.GetScadaSessionStatus()
if linkSessionStatus == "connected" {
break
}
time.Sleep(500 * time.Millisecond)
}
if linkSessionStatus != "connected" {
return fmt.Errorf("failed to connect to HCP in 5 seconds. HCP session status is: %s", linkSessionStatus)
}

err = hcpLink.Shutdown()
if err != nil {
return fmt.Errorf("failed to shutdown HCP link: %w", err)
}

return nil
})
}
}

return nil
}

Expand Down
46 changes: 46 additions & 0 deletions command/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ import (
"github.com/hashicorp/vault/sdk/version"
sr "github.com/hashicorp/vault/serviceregistration"
"github.com/hashicorp/vault/vault"
"github.com/hashicorp/vault/vault/hcp_link"
vaultseal "github.com/hashicorp/vault/vault/seal"
"github.com/mitchellh/cli"
"github.com/mitchellh/go-testing-interface"
Expand Down Expand Up @@ -1577,6 +1578,14 @@ func (c *ServerCommand) Run(args []string) int {
return 1
}

hcpLogger := c.logger.Named("hcpLink")
hcpLink, err := hcp_link.NewHCPLink(config.HCPLinkConf, core, hcpLogger)
if err != nil {
c.logger.Error("failed to start HCP Link", "error", err)
} else if hcpLink != nil {
c.logger.Trace("started HCP link")
}

if c.flagTestServerConfig {
return 0
}
Expand Down Expand Up @@ -1688,6 +1697,12 @@ func (c *ServerCommand) Run(args []string) int {
// Setting log request with the new value in the config after reload
core.ReloadLogRequestsLevel()

// reloading HCP link
hcpLink, err = c.reloadHCPLink(hcpLink, config, core, hcpLogger)
if err != nil {
c.logger.Error(err.Error())
}

if config.LogLevel != "" {
configLogLevel := strings.ToLower(strings.TrimSpace(config.LogLevel))
switch configLogLevel {
Expand Down Expand Up @@ -1741,6 +1756,12 @@ func (c *ServerCommand) Run(args []string) int {
// Stop the listeners so that we don't process further client requests.
c.cleanupGuard.Do(listenerCloseFunc)

if hcpLink != nil {
if err := hcpLink.Shutdown(); err != nil {
c.UI.Error(fmt.Sprintf("Error with HCP Link shutdown: %v", err.Error()))
}
}

// Finalize will wait until after Vault is sealed, which means the
// request forwarding listeners will also be closed (and also
// waited for).
Expand All @@ -1753,6 +1774,31 @@ func (c *ServerCommand) Run(args []string) int {
return retCode
}

func (c *ServerCommand) reloadHCPLink(hcpLinkVault *hcp_link.WrappedHCPLinkVault, conf *server.Config, core *vault.Core, hcpLogger hclog.Logger) (*hcp_link.WrappedHCPLinkVault, error) {
// trigger a shutdown
if hcpLinkVault != nil {
err := hcpLinkVault.Shutdown()
if err != nil {
return nil, err
}
}

if conf.HCPLinkConf == nil {
// if cloud stanza is not configured, we should not show anything
// in the seal-status related to HCP link
core.SetHCPLinkStatus("", "")
return nil, nil
}

// starting HCP link
hcpLink, err := hcp_link.NewHCPLink(conf.HCPLinkConf, core, hcpLogger)
if err != nil {
return nil, fmt.Errorf("failed to restart HCP Link and it is no longer running, %w", err)
}

return hcpLink, nil
}

func (c *ServerCommand) notifySystemd(status string) {
sent, err := systemd.SdNotify(false, status)
if err != nil {
Expand Down
18 changes: 17 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ require (
github.com/apple/foundationdb/bindings/go v0.0.0-20190411004307-cd5c9d91fad2
github.com/armon/go-metrics v0.4.0
github.com/armon/go-radix v1.0.0
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef
github.com/aws/aws-sdk-go v1.43.8
github.com/axiomhq/hyperloglog v0.0.0-20220105174342-98591331716a
github.com/cenkalti/backoff/v3 v3.2.2
Expand Down Expand Up @@ -98,6 +98,7 @@ require (
github.com/hashicorp/go-version v1.6.0
github.com/hashicorp/golang-lru v0.5.4
github.com/hashicorp/hcl v1.0.1-vault-3
github.com/hashicorp/hcp-sdk-go v0.21.0
github.com/hashicorp/nomad/api v0.0.0-20220707195938-75f4c2237b28
github.com/hashicorp/raft v1.3.10
github.com/hashicorp/raft-autopilot v0.1.6
Expand Down Expand Up @@ -231,6 +232,8 @@ require (
github.com/Microsoft/go-winio v0.5.1 // indirect
github.com/Microsoft/hcsshim v0.9.0 // indirect
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/andybalholm/brotli v1.0.4 // indirect
github.com/apache/arrow/go/arrow v0.0.0-20210818145353-234c94e4ce64 // indirect
github.com/aws/aws-sdk-go-v2 v1.8.0 // indirect
Expand Down Expand Up @@ -278,6 +281,17 @@ require (
github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 // indirect
github.com/go-logr/logr v1.2.0 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-openapi/analysis v0.20.0 // indirect
github.com/go-openapi/errors v0.19.9 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.5 // indirect
github.com/go-openapi/loads v0.20.2 // indirect
github.com/go-openapi/runtime v0.19.24 // indirect
github.com/go-openapi/spec v0.20.3 // indirect
github.com/go-openapi/strfmt v0.20.0 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/go-openapi/validate v0.20.2 // indirect
github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect
github.com/go-stack/stack v1.8.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
Expand Down Expand Up @@ -325,13 +339,15 @@ require (
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kelseyhightower/envconfig v1.4.0 // indirect
github.com/klauspost/compress v1.13.6 // indirect
github.com/klauspost/pgzip v1.2.5 // indirect
github.com/lib/pq v1.10.6 // indirect
github.com/linode/linodego v0.7.1 // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/mailru/easyjson v0.7.6 // indirect
github.com/mattn/go-ieproxy v0.0.1 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/miekg/dns v1.1.41 // indirect
Expand Down
Loading