Skip to content

Commit

Permalink
Add namespace and log level annotations
Browse files Browse the repository at this point in the history
  • Loading branch information
jasonodonnell committed Feb 20, 2020
1 parent 98298fe commit 7cd4f04
Show file tree
Hide file tree
Showing 11 changed files with 106 additions and 27 deletions.
10 changes: 9 additions & 1 deletion agent-inject/agent/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import (
// TODO swap out 'github.com/mattbaird/jsonpatch' for 'github.com/evanphx/json-patch'

const (
DefaultVaultImage = "vault:1.3.1"
DefaultVaultImage = "vault:1.3.1"
DefaultVaultAuthPath = "auth/kubernetes"
)

Expand Down Expand Up @@ -129,6 +129,12 @@ type Vault struct {
// make a request to the Vault server.
ClientTimeout string

// LogLevel sets the Vault Agent log level. Defaults to info.
LogLevel string

// Namespace is the Vault namespace to prepend to secret paths.
Namespace string

// Role is the name of the Vault role to use for authentication.
Role string

Expand Down Expand Up @@ -172,6 +178,8 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro
ClientKey: pod.Annotations[AnnotationVaultClientKey],
ClientMaxRetries: pod.Annotations[AnnotationVaultClientMaxRetries],
ClientTimeout: pod.Annotations[AnnotationVaultClientTimeout],
LogLevel: pod.Annotations[AnnotationVaultLogLevel],
Namespace: pod.Annotations[AnnotationVaultNamespace],
Role: pod.Annotations[AnnotationVaultRole],
TLSSecret: pod.Annotations[AnnotationVaultTLSSecret],
TLSServerName: pod.Annotations[AnnotationVaultTLSServerName],
Expand Down
8 changes: 4 additions & 4 deletions agent-inject/agent/agent_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ func TestValidate(t *testing.T) {
ServiceAccountName: "foobar",
ImageName: "test",
Vault: Vault{
Role: "test",
Address: "https://foobar.com:8200",
Role: "test",
Address: "https://foobar.com:8200",
AuthPath: "test",
},
}, true,
Expand Down Expand Up @@ -148,8 +148,8 @@ func TestValidate(t *testing.T) {
ServiceAccountName: "foobar",
ImageName: "test",
Vault: Vault{
Role: "test",
Address: "https://foobar.com:8200",
Role: "test",
Address: "https://foobar.com:8200",
AuthPath: "",
},
}, false,
Expand Down
10 changes: 10 additions & 0 deletions agent-inject/agent/annotations.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ const (
// AnnotationAgentRequestsMem sets the requested memory amount on the Vault Agent containers.
AnnotationAgentRequestsMem = "vault.hashicorp.com/agent-requests-mem"

// AnnotationVaultNamespace is the Vault namespace where secrets can be found.
AnnotationVaultNamespace = "vault.hashicorp.com/namespace"

// AnnotationVaultService is the name of the Vault server. This can be overridden by the
// user but will be set by a flag on the deployment.
AnnotationVaultService = "vault.hashicorp.com/service"
Expand Down Expand Up @@ -109,6 +112,9 @@ const (
// AnnotationVaultClientTimeout sets the request timeout when communicating with Vault.
AnnotationVaultClientTimeout = "vault.hashicorp.com/client-timeout"

// AnnotationVaultLogLevel sets the Vault Agent log level.
AnnotationVaultLogLevel = "vault.hashicorp.com/log-level"

// AnnotationVaultRole specifies the role to be used for the Kubernetes auto-auth
// method.
AnnotationVaultRole = "vault.hashicorp.com/role"
Expand Down Expand Up @@ -177,6 +183,10 @@ func Init(pod *corev1.Pod, image, address, authPath, namespace string) error {
pod.ObjectMeta.Annotations[AnnotationAgentRequestsMem] = DefaultResourceRequestMem
}

if _, ok := pod.ObjectMeta.Annotations[AnnotationVaultLogLevel]; !ok {
pod.ObjectMeta.Annotations[AnnotationVaultLogLevel] = DefaultAgentLogLevel
}

return nil
}

Expand Down
30 changes: 30 additions & 0 deletions agent-inject/agent/annotations_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -356,3 +356,33 @@ func TestInitEmptyPod(t *testing.T) {
t.Errorf("got no error, shouldn have")
}
}

func TestVaultNamespaceAnnotation(t *testing.T) {
tests := []struct {
key string
value string
expectedValue string
}{
{"", "", ""},
{"vault.hashicorp.com/namespace", "", ""},
{"vault.hashicorp.com/namespace", "foobar", "foobar"},
{"vault.hashicorp.com/namespace", "fooBar", "fooBar"},
}

for _, tt := range tests {
annotation := map[string]string{
tt.key: tt.value,
}
pod := testPod(annotation)
var patches []*jsonpatch.JsonPatchOperation

agent, err := New(pod, patches)
if err != nil {
t.Errorf("got error, shouldn't have: %s", err)
}

if agent.Vault.Namespace != tt.expectedValue {
t.Errorf("expected %s, got %s", tt.expectedValue, agent.Vault.Namespace)
}
}
}
1 change: 1 addition & 0 deletions agent-inject/agent/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
AutoAuth: &AutoAuth{
Method: &Method{
Type: "kubernetes",
Namespace: a.Vault.Namespace,
MountPath: a.Vault.AuthPath,
Config: map[string]interface{}{
"role": a.Vault.Role,
Expand Down
12 changes: 12 additions & 0 deletions agent-inject/agent/container_env.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@ import (
func (a *Agent) ContainerEnvVars(init bool) ([]corev1.EnvVar, error) {
var envs []corev1.EnvVar

envs = append(envs, corev1.EnvVar{
Name: "VAULT_TOKEN",
Value: "/home/vault/.vault-token",
})

if a.Vault.ClientTimeout != "" {
envs = append(envs, corev1.EnvVar{
Name: "VAULT_CLIENT_TIMEOUT",
Expand All @@ -24,6 +29,13 @@ func (a *Agent) ContainerEnvVars(init bool) ([]corev1.EnvVar, error) {
})
}

if a.Vault.LogLevel != "" {
envs = append(envs, corev1.EnvVar{
Name: "VAULT_LOG_LEVEL",
Value: a.Vault.LogLevel,
})
}

if a.ConfigMapName == "" {
config, err := a.newConfig(init)
if err != nil {
Expand Down
12 changes: 6 additions & 6 deletions agent-inject/agent/container_env_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ func TestContainerEnvs(t *testing.T) {
agent Agent
expectedEnvs []string
}{
{Agent{}, []string{"VAULT_CONFIG"}},
{Agent{ConfigMapName: "foobar"}, []string{}},
{Agent{Vault: Vault{ClientMaxRetries: "0"}}, []string{"VAULT_CONFIG", "VAULT_MAX_RETRIES"}},
{Agent{Vault: Vault{ClientTimeout: "5s"}}, []string{"VAULT_CONFIG", "VAULT_CLIENT_TIMEOUT"}},
{Agent{Vault: Vault{ClientMaxRetries: "0", ClientTimeout: "5s"}}, []string{"VAULT_CONFIG", "VAULT_MAX_RETRIES", "VAULT_CLIENT_TIMEOUT"}},
{Agent{ConfigMapName: "foobar", Vault: Vault{ClientMaxRetries: "0", ClientTimeout: "5s"}}, []string{"VAULT_MAX_RETRIES", "VAULT_CLIENT_TIMEOUT"}},
{Agent{}, []string{"VAULT_CONFIG", "VAULT_TOKEN"}},
{Agent{ConfigMapName: "foobar"}, []string{"VAULT_TOKEN"}},
{Agent{Vault: Vault{ClientMaxRetries: "0"}}, []string{"VAULT_CONFIG", "VAULT_MAX_RETRIES", "VAULT_TOKEN"}},
{Agent{Vault: Vault{ClientTimeout: "5s"}}, []string{"VAULT_CONFIG", "VAULT_CLIENT_TIMEOUT", "VAULT_TOKEN"}},
{Agent{Vault: Vault{ClientMaxRetries: "0", ClientTimeout: "5s"}}, []string{"VAULT_CONFIG", "VAULT_MAX_RETRIES", "VAULT_CLIENT_TIMEOUT", "VAULT_TOKEN"}},
{Agent{ConfigMapName: "foobar", Vault: Vault{ClientMaxRetries: "0", ClientTimeout: "5s", LogLevel: "info"}}, []string{"VAULT_MAX_RETRIES", "VAULT_CLIENT_TIMEOUT", "VAULT_LOG_LEVEL", "VAULT_TOKEN"}},
}

for _, tt := range tests {
Expand Down
1 change: 1 addition & 0 deletions agent-inject/agent/container_sidecar.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ const (
DefaultResourceRequestCPU = "250m"
DefaultResourceRequestMem = "64Mi"
DefaultContainerArg = "echo ${VAULT_CONFIG?} | base64 -d > /tmp/config.json && vault agent -config=/tmp/config.json"
DefaultAgentLogLevel = "info"
)

// ContainerSidecar creates a new container to be added
Expand Down
30 changes: 24 additions & 6 deletions agent-inject/agent/container_sidecar_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,35 @@ func TestContainerSidecar(t *testing.T) {
t.Errorf("creating container sidecar failed, it shouldn't have: %s", err)
}

if len(container.Env) != 1 {
t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), 1)
expectedEnvs := 3
if len(container.Env) != expectedEnvs {
t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), expectedEnvs)
}

if container.Env[0].Name != "VAULT_CONFIG" {
t.Errorf("env name wrong, should have been %s, got %s", "VAULT_CONFIG", container.Env[0].Name)
if container.Env[0].Name != "VAULT_TOKEN" {
t.Errorf("env name wrong, should have been %s, got %s", "VAULT_TOKEN", container.Env[0].Name)
}

if container.Env[0].Value == "" {
t.Error("env value empty, it shouldn't be")
}

if container.Env[1].Name != "VAULT_LOG_LEVEL" {
t.Errorf("env name wrong, should have been %s, got %s", "VAULT_LOG_LEVEL", container.Env[1].Name)
}

if container.Env[1].Value == "" {
t.Error("env value empty, it shouldn't be")
}

if container.Env[2].Name != "VAULT_CONFIG" {
t.Errorf("env name wrong, should have been %s, got %s", "VAULT_CONFIG", container.Env[2].Name)
}

if container.Env[2].Value == "" {
t.Error("env value empty, it shouldn't be")
}

if len(container.Args) != 1 {
t.Errorf("wrong number of args, got %d, should have been %d", len(container.Args), 1)
}
Expand Down Expand Up @@ -104,8 +121,9 @@ func TestContainerSidecarConfigMap(t *testing.T) {
t.Errorf("creating container sidecar failed, it shouldn't have: %s", err)
}

if len(container.Env) != 0 {
t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), 0)
expectedEnvs := 2
if len(container.Env) != expectedEnvs {
t.Errorf("wrong number of env vars, got %d, should have been %d", len(container.Env), expectedEnvs)
}

arg := fmt.Sprintf("vault agent -config=%s/config.hcl", configVolumePath)
Expand Down
18 changes: 9 additions & 9 deletions subcommand/injector/command.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,15 @@ import (
type Command struct {
UI cli.Ui

flagListen string // Address of Vault Server
flagLogLevel string // Log verbosity
flagCertFile string // TLS Certificate to serve
flagKeyFile string // TLS private key to serve
flagAutoName string // MutatingWebhookConfiguration for updating
flagAutoHosts string // SANs for the auto-generated TLS cert.
flagVaultService string // Name of the Vault service
flagVaultImage string // Name of the Vault Image to use
flagVaultAuthPath string // Mount Path of the Vault Kubernetes Auth Method
flagListen string // Address of Vault Server
flagLogLevel string // Log verbosity
flagCertFile string // TLS Certificate to serve
flagKeyFile string // TLS private key to serve
flagAutoName string // MutatingWebhookConfiguration for updating
flagAutoHosts string // SANs for the auto-generated TLS cert.
flagVaultService string // Name of the Vault service
flagVaultImage string // Name of the Vault Image to use
flagVaultAuthPath string // Mount Path of the Vault Kubernetes Auth Method

flagSet *flag.FlagSet

Expand Down
1 change: 0 additions & 1 deletion subcommand/injector/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ type Specification struct {

// VaultAuthPath is the AGENT_INJECT_VAULT_AUTH_PATH environment variable.
VaultAuthPath string `split_words:"true"`

}

func (c *Command) init() {
Expand Down

0 comments on commit 7cd4f04

Please sign in to comment.