feat: Surface plugin secret fetch errors in docker compose logs via shared log file#72
Closed
j4anvii wants to merge 10 commits into
Closed
feat: Surface plugin secret fetch errors in docker compose logs via shared log file#72j4anvii wants to merge 10 commits into
j4anvii wants to merge 10 commits into
Conversation
… error logging - Added a new `plugin_logger.go` file to manage rotating file logging for plugin logs. - Introduced environment variables `PLUGIN_LOG_PATH` and `PLUGIN_LOG_MAX_SIZE_MB` for configurable log settings. - Updated `main.go` to initialize file logging and handle log file closure on exit. - Enhanced error logging in `driver.go` to provide more context on failures. - Updated `config.json` to include new log path and size settings. - Expanded documentation in `readme.md` and `debugging.md` to guide users on enabling and using plugin logging. Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
…or log visibility Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
Author
|
@sanjay7178 PTAL! |
sanjay7178
reviewed
Mar 2, 2026
Member
sanjay7178
left a comment
sanjay7178
left a comment
There was a problem hiding this comment.
See as par I mentioned in the github issue , it writes the logs defaults to /run/swarm-external-secrets/plugin.log , here are some changes I request
- use
LOG_LEVEL, which is tends to be a integer ranges from 1-5 (means Trace, Debug, Info, Warning, Error, Fatal and Panic used logrus) , if this value is present only should log the file append by default log path/run/swarm-external-secrets/plugin.log - make
PLUGIN_LOG_PATHoptional , if this set it overrides the log path user defined path .
Member
|
also fix the github CI issues , I seen the screen recording , it seems you're not using secrets provider to validate the functionality of the logging logic . |
- Introduced a new environment variable `LOG_LEVEL` to configure logging levels (1=Trace, 2=Debug, 3=Info, 4=Warn, 5=Error). - Updated `plugin_logger.go` to parse and apply the log level setting, enabling more granular control over log verbosity. - Modified `config.json` to include the new `LOG_LEVEL` setting with a description for user guidance. Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
Author
|
here is the new logs https://paste.opensuse.org/pastes/7b4097e0a478 (convert this in ansi view) it uses vault secrets provider (see provider=vault) I have ran the pipelines in j4anvii#4 and all are passing after the addition of commits bebeaea 41e5283 |
- Changed directory permissions for the log directory from 0755 to 0750 for enhanced security. - Updated log file permissions from 0644 to 0600 to restrict access to the owner only. - Added commands in the smoke test helper script to create the log directory with the new permissions. Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
…ient key fields - Updated AWS, OpenBao, and Vault configuration structs to include #nosec annotations for ClientKey and AccessKey fields, indicating they are not secret values. - Ensured compliance with security best practices by clarifying the nature of these fields. Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a host-mounted, rotating file logger for the Docker Swarm secrets plugin so plugin errors (notably secret fetch failures) can be surfaced via a log-tail sidecar and viewed in compose/stack logs, addressing the debugging gap described in Issue #54.
Changes:
- Introduces
plugin_logger.gowith a rotating file writer configured viaLOG_LEVEL,PLUGIN_LOG_PATH, andPLUGIN_LOG_MAX_SIZE_MB. - Updates plugin startup/shutdown and request error paths to emit structured error logs to the shared log file.
- Updates deployment artifacts (plugin
config.jsonmount, compose sidecar, scripts, and docs) to support the shared log directory and recommended debugging flow.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/tests/smoke-test-helper.sh | Creates the host log directory before enabling the plugin in smoke tests. |
| scripts/deploy.sh | Creates the host log directory as part of deployment. |
| scripts/demo-rotation.sh | Minor formatting/line-fix in demo script output. |
| providers/vault.go | Adds #nosec annotation related to TLS client key path field. |
| providers/openbao.go | Adds #nosec annotation related to TLS client key path field. |
| providers/aws.go | Adds #nosec annotation related to AWS access key identifier field. |
| plugin_logger.go | New rotating file logger and file logging setup logic. |
| main.go | Initializes plugin file logging and changes fatal paths to os.Exit. |
| driver.go | Adds logPluginError helper and uses it in secret fetch error paths. |
| docs/debugging.md | Recommends tailing the shared log file as the preferred debugging method. |
| docker-compose.yml | Adds a secrets-logger sidecar to tail the shared plugin log file. |
| config.json | Adds a bind mount for /run/swarm-external-secrets and new logging-related env vars. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
|
@j4anvii can you please resolve the changes requested by copilot ? |
- Updated the `secrets-logger` service in `docker-compose.yml` to include a timeout mechanism for waiting on the log file, providing clearer error messages if the file is not found. - Refactored `main.go` to handle errors more gracefully, replacing `os.Exit(1)` with error returns for better control over application flow. - Improved log file rotation logic in `plugin_logger.go` to ensure file descriptors remain valid during renaming operations. - Added documentation in `debugging.md` to clarify the requirement of setting `LOG_LEVEL` for file logging to be active. Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
Author
|
@sanjay7178 done |
Signed-off-by: Janvi Kumari <janvikumari010305@gmail.com>
Member
|
Can you please check the comment mentioned in config.json , needs a change to test it . Please test whether it works or not locally , don't make a commit , if it's works let me know . |
Author
|
@sanjay7178 yes, it works i put this in my code |
Member
|
I mean custom log path ? |
Author
|
@sanjay7178 verified Its custom.log instead of plugin.log |
Author
|
please let me know if any other changes are needed @sanjay7178 |
Member
|
Please resolve the pending comments first , I would look this PR later , thanks . |
Author
|
done @sanjay7178 |
Member
|
/priority P1 |
Collaborator
|
hey @sanjay7178 is this PR open or should i review once and check if the issue is really solved or not? |
Member
|
Contributor might not be active rn . you may raise PR , referring to these changes . |
Member
|
closing as it is stale |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of change
Mention the secrets provider
Description
This pull request introduces a new file-based logging mechanism for the plugin, allowing logs to be written to a host-mounted file with rotation support. It also updates configuration and deployment files to support this feature and improves error handling and logging throughout the codebase.
Plugin Logging Enhancements
plugin_logger.gomodule that implements file-based logging with log rotation for the plugin, configurable via environment variables (PLUGIN_LOG_PATHandPLUGIN_LOG_MAX_SIZE_MB).main.goto initialize and clean up the plugin log file writer, and to ensure errors are logged to both the file and stderr. Fatal errors now useos.Exit(1)for proper shutdown. [1] [2] [3]Configuration and Deployment Updates
/run/swarm-external-secretsinconfig.jsonto support log file sharing, and introduced new environment variables for log path and size configuration. [1] [2]docker-compose.ymlto add asecrets-loggersidecar service that tails the plugin log file for easier debugging.scripts/deploy.shto create the plugin log directory on the host with proper permissions.Debugging and Documentation
docs/debugging.mdto recommend tailing the plugin log file as the preferred debugging method, with fallback to daemon logs.Error Handling Improvements
logPluginErrormethod indriver.go, improving visibility of plugin errors in the log file. [1] [2] [3] [4]Commands & Configuration to test
Screen.Recording.2026-03-03.at.12.02.18.AM.mp4
commands to run to test it out (im giving my zshhistory)
Screenshots & Logs
n/a
Related Tickets & Documents