feat: add kubernetes proxy

[M0NsTeRRR]

🚀 Changes proposed by this PR

🔗 Related bug reports/feature requests

• implements #41

🧰 Type of change

• [x] New feature (non-breaking change which adds functionality).
• [x] This change requires (or is) a documentation update.

📝 Notes to reviewer

🤝 Requirements

• [x] ✍ I have read and agree to this projects Code of Conduct.
• [x] ✍ I have read and agree to this projects Contribution Guidelines.
• [x] ✍ I have read and agree to the Developer Certificate of Origin.
• [x] 🔎 I have performed a self-review of my own changes.
• [x] 🎨 My changes follow the style guidelines of this project.
• [x] 💬 My changes as properly commented, primarily for hard-to-understand areas.
• [ ] 📝 I have made corresponding changes to the documentation.

[M0NsTeRRR]

Hello, With my little knowledge of Go I've implemented #41. I don't write much Go, so perhaps the code isn't optimized and needs refactoring. It uses Kubernetes pod discovery with label filtering and allows for unsealing a Vault cluster through a Kubernetes proxy.

Output log on a vault cluster with 3 nodes, 5 unseal keys (3 keys required) :

timestamp=2024-03-06T22:02:57.694760345+01:00 level=warn message="found 5 tokens in the config, make sure this is not a security risk" environment= version=master
timestamp=2024-03-06T22:02:57.694812953+01:00 level=info message="updated config" environment= path=vault-unseal.conf version=master
timestamp=2024-03-06T22:02:57.737941131+01:00 level=info message="invoking worker" addr=vault-0 environment= version=master
timestamp=2024-03-06T22:02:57.737985375+01:00 level=info message="invoking worker" addr=vault-1 environment= version=master
timestamp=2024-03-06T22:02:57.737998682+01:00 level=info message="invoking worker" addr=vault-2 environment= version=master
timestamp=2024-03-06T22:02:57.738056341+01:00 level=info message="starting notifier" environment= version=master
timestamp=2024-03-06T22:03:12.738525539+01:00 level=info message="running checks" environment= podAddr=https:vault-0:8200 version=master
timestamp=2024-03-06T22:03:12.738568734+01:00 level=info message="running checks" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:12.738985154+01:00 level=info message="running checks" environment= podAddr=https:vault-2:8200 version=master
timestamp=2024-03-06T22:03:12.758897957+01:00 level=info message="seal status" environment= podAddr=https:vault-2:8200 version=master
timestamp=2024-03-06T22:03:12.75933722+01:00 level=info message="seal status" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:12.759356204+01:00 level=info message="using unseal token" environment= podAddr=https:vault-1:8200 progress=0 token=1 total=0 version=master
timestamp=2024-03-06T22:03:12.760659363+01:00 level=info message="seal status" environment= podAddr=https:vault-0:8200 version=master
timestamp=2024-03-06T22:03:12.762882619+01:00 level=info message="token successfully sent" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:12.762898502+01:00 level=info message="using unseal token" environment= podAddr=https:vault-1:8200 progress=0 token=2 total=0 version=master
timestamp=2024-03-06T22:03:12.765348567+01:00 level=info message="token successfully sent" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:12.765364504+01:00 level=info message="using unseal token" environment= podAddr=https:vault-1:8200 progress=0 token=3 total=0 version=master
timestamp=2024-03-06T22:03:12.845054256+01:00 level=info message="token successfully sent" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:12.845095172+01:00 level=error message=notify-error environment= error="error: (was sealed) https:vault-1:8200 now unsealed with tokens" version=master
timestamp=2024-03-06T22:03:12.845125085+01:00 level=info message="using unseal token" environment= podAddr=https:vault-1:8200 progress=0 token=4 total=0 version=master
timestamp=2024-03-06T22:03:12.849603793+01:00 level=info message="token successfully sent" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:12.849630756+01:00 level=error message=notify-error environment= error="error: (was sealed) https:vault-1:8200 now unsealed with tokens" version=master
timestamp=2024-03-06T22:03:12.849646311+01:00 level=info message="using unseal token" environment= podAddr=https:vault-1:8200 progress=0 token=5 total=0 version=master
timestamp=2024-03-06T22:03:12.853270514+01:00 level=info message="token successfully sent" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:12.853291718+01:00 level=error message=notify-error environment= error="error: (was sealed) https:vault-1:8200 now unsealed with tokens" version=master
timestamp=2024-03-06T22:03:27.759391237+01:00 level=info message="running checks" environment= podAddr=https:vault-2:8200 version=master
timestamp=2024-03-06T22:03:27.761531218+01:00 level=info message="running checks" environment= podAddr=https:vault-0:8200 version=master
timestamp=2024-03-06T22:03:27.763920858+01:00 level=info message="seal status" environment= podAddr=https:vault-2:8200 version=master
timestamp=2024-03-06T22:03:27.765360156+01:00 level=info message="seal status" environment= podAddr=https:vault-0:8200 version=master
timestamp=2024-03-06T22:03:27.853583663+01:00 level=info message="running checks" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:27.857483301+01:00 level=info message="seal status" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:42.769256896+01:00 level=info message="running checks" environment= podAddr=https:vault-0:8200 version=master
timestamp=2024-03-06T22:03:42.769289256+01:00 level=info message="running checks" environment= podAddr=https:vault-2:8200 version=master
timestamp=2024-03-06T22:03:42.7727619+01:00 level=info message="seal status" environment= podAddr=https:vault-0:8200 version=master
timestamp=2024-03-06T22:03:42.77518038+01:00 level=info message="seal status" environment= podAddr=https:vault-2:8200 version=master
timestamp=2024-03-06T22:03:42.858370955+01:00 level=info message="running checks" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:42.862355614+01:00 level=info message="seal status" environment= podAddr=https:vault-1:8200 version=master
^Ctimestamp=2024-03-06T22:03:43.630113475+01:00 level=info message="invoked termination, cleaning up" environment= version=master
timestamp=2024-03-06T22:03:43.630174432+01:00 level=info message="closing worker" environment= podAddr=https:vault-1:8200 version=master
timestamp=2024-03-06T22:03:43.630180719+01:00 level=info message="closing worker" environment= podAddr=https:vault-2:8200 version=master

The documentation needs to be updated, but I'll do it once the code is stable.

[M0NsTeRRR]

I need to handle discovery better, as autodiscovery is only executed at vault-unseal startup.

[M0NsTeRRR]

Okay, I think we're good for a first review. I've removed the pod discovery feature because it's rather pointless. When using retry_join, you need to write a static configuration in a ConfigMap for Vault, or you have to use the raft join command (so you know how many Vault pods you have). Additionally, it's not suitable because when a pod (Vault node) is down, you can't detect it during the unseal process as a basic discovery won't see it.

[M0NsTeRRR]

Hello @lrstanley, Excuse me for this notification, but I will soon need this functionality to determine whether I should maintain my fork or if you will have time to review my pull request :) Regards,