feat: load vault role/secret ids from volume

[swarren83]

Closes Issue #146

[swarren83]

The error message works as expected.

{"level":"info","ts":1644609939.759981,"logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":1800}
{"level":"error","ts":1644609939.7600644,"logger":"vault","msg":"missing secret vault-secrets-operator or bad path in volume","VaultFilePath":"","error":"open : no such file or directory","stacktrace":"main.main\n\t/workspace/main.go:54\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:225"}
{"level":"error","ts":1644609939.7601416,"logger":"vault","msg":"missing secret vault-secrets-operator or bad path in volume","VaultFilePath":"","error":"open : no such file or directory","stacktrace":"main.main\n\t/workspace/main.go:54\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:225"}
{"level":"error","ts":1644609939.8593178,"msg":"Could not create API client for Vault","error":"missing role id for AppRole auth method","stacktrace":"runtime.main\n\t/usr/local/go/src/runtime/proc.go:225"}

[swarren83]

When properly configured, this works.

{"level":"info","ts":1644612622.3584888,"logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":1800}
{"level":"info","ts":1644612622.9596415,"logger":"vault","msg":"Renew Vault token"}
I0211 20:50:24.458074       1 request.go:665] Waited for 1.09615634s due to client-side throttling, not priority and fairness, request: GET:https://100.65.0.1:443/apis/storage.k8s.io/v1?timeout=32s
{"level":"info","ts":1644612627.958312,"logger":"controller-runtime.metrics","msg":"metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":1644612628.0630705,"logger":"setup","msg":"starting manager"}
I0211 20:50:28.063432       1 leaderelection.go:248] attempting to acquire leader lease test/vaultsecretsoperator.ricoberger.de...
{"level":"info","ts":1644612628.0639756,"msg":"starting metrics server","path":"/metrics"}
I0211 20:50:45.066971       1 leaderelection.go:258] successfully acquired lease test/vaultsecretsoperator.ricoberger.de
{"level":"info","ts":1644612645.0672915,"logger":"controller.vaultsecret","msg":"Starting EventSource","reconciler group":"ricoberger.de","reconciler kind":"VaultSecret","source":"kind source: /, Kind="}
{"level":"info","ts":1644612645.0673416,"logger":"controller.vaultsecret","msg":"Starting EventSource","reconciler group":"ricoberger.de","reconciler kind":"VaultSecret","source":"kind source: /, Kind="}
{"level":"info","ts":1644612645.067349,"logger":"controller.vaultsecret","msg":"Starting Controller","reconciler group":"ricoberger.de","reconciler kind":"VaultSecret"}
{"level":"info","ts":1644612647.36073,"logger":"controller.vaultsecret","msg":"Starting workers","reconciler group":"ricoberger.de","reconciler kind":"VaultSecret","worker count":1}

[swarren83]

@ricoberger This is ready for review.

[ricoberger]

Hi @swarren83, thanks for your contribution. It looks like the approle test is failing with your changes, can you have a look at it please?

[swarren83]

I forgot to push some changes to the test file to ensure it would work. They have been pushed now. @ricoberger

[swarren83]

@ricoberger I am not sure why this is failing. I need to add some debug output to the test. Is it okay to print the yaml for the pod and secret? I want to make sure the volumes are configured and mounted properly. Also want to check that the secret has the correct keys.

[ricoberger]

@swarren83 sure, thanks for debugging

Edit: If you have kind install locally, you can also run the test via ./testbin/setup-kind-approle.sh

[swarren83]

I have docker desktop but having trouble getting kubernetes to start up. If I can get it up and running before I fix it through the CI, I will figure out the fix locally and stop submitting so many commits :)

[swarren83]

Got kubernetes running in docker desktop. Going to debug this locally...

[swarren83]

@ricoberger I figured out the problem. I had volumeMounts outside of the image field. I pushed up the fix and now this should pass.

[swarren83]

@ricoberger How do we want to handle backwards compatibility? Or do you want this to be a breaking change going forward? We can probably accept VAULT_ROLE_ID or VAULT_ROLE_ID_PATH in the setVaultIDs function.

[ricoberger]

Hi @swarren83, thanks again for your contribution 🙂 and for adding backwards compatibility. If the tests are green I would merge you PR if this is ok for you?

[swarren83]

@ricoberger I would like to add tests that cover the backwards compatible code.

[swarren83]

@ricoberger I split the kind cluster creation out and updated the workflow to run a test for approle with env vars and without. Have a look at the workflow and testbin code changes in the latest commit. I tested locally and they worked.

[swarren83]

How do you want to document this, more secure(?), optional configuration of the Approle auth method?

[swarren83]

@ricoberger I added some documentation for this new method. This is ready to be merged if you are happy with it.

[ricoberger]

Awesome, thanks you very much 🙂