-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathmain.go
More file actions
238 lines (217 loc) · 7.32 KB
/
main.go
File metadata and controls
238 lines (217 loc) · 7.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
package main
import (
"fmt"
"net/http"
"os"
"github.com/hasura/hasura-secret-refresh/provider"
awsIamRds "github.com/hasura/hasura-secret-refresh/provider/aws_iam_auth_rds"
awsSm "github.com/hasura/hasura-secret-refresh/provider/aws_secrets_manager"
awsSmOauth "github.com/hasura/hasura-secret-refresh/provider/aws_sm_oauth"
azureKv "github.com/hasura/hasura-secret-refresh/provider/azure_key_vault"
"github.com/hasura/hasura-secret-refresh/server"
"github.com/rs/zerolog"
"github.com/spf13/viper"
)
const (
ConfigFileCliFlag = "config"
ConfigFileDefaultPath = "./config.json"
ConfigFileCliFlagDescription = "path to config file"
)
type DeploymentType string
const (
InitContainer DeploymentType = "initcontainer"
Sidecar DeploymentType = "sidecar"
)
const (
aws_secrets_manager = "proxy_aws_secrets_manager"
aws_sm_oauth = "proxy_awssm_oauth"
aws_sm_file = "file_aws_secrets_manager"
aws_iam_auth_rds = "file_aws_iam_auth_rds"
azure_key_vault = "proxy_azure_key_vault"
azure_key_vault_file = "file_azure_key_vault"
)
func main() {
viper.SetConfigName("config")
viper.SetConfigType("yaml")
// accept an environment variable for config path
// and set the same as the config path
// DEPRECATION: this environment variable will be deprecated in future in favour
// of `CONFIG_FILE`
if configPath := os.Getenv("CONFIG_PATH"); configPath != "" {
viper.AddConfigPath(configPath)
} else {
viper.AddConfigPath(".")
}
if configFile := os.Getenv("CONFIG_FILE"); configFile != "" {
viper.SetConfigFile(configFile)
}
if err := viper.ReadInConfig(); err != nil {
panic(fmt.Errorf("fatal error config file: %w", err))
}
logger := zerolog.New(os.Stderr).With().Timestamp().Logger()
configPath := viper.ConfigFileUsed()
logLevel := viper.GetString("log_config.level")
initLogger := logger.With().
Str("config_file_path", configPath).
Bool("is_default_path", isDefaultPath(configPath)).
Logger()
conf := viper.GetViper().AllSettings()
config, fileProviders, deploymentType, err := parseConfig(conf, logger)
if err != nil {
initLogger.Fatal().Err(err).Msg("Unable to parse config file")
}
zLogLevel := getLogLevel(logLevel, logger)
zerolog.SetGlobalLevel(zLogLevel)
totalProviders := len(fileProviders) + len(config.Providers)
logger.Info().Msgf("%d providers initialized: %d file provider, %d http provider",
totalProviders, len(fileProviders), len(config.Providers),
)
// if the type is init container, then we need to identify the last execution status to mark
// whether we are done with fileProvider or not?
// init-container cannot be used to detect loading of proxy based secret
// retriever
if deploymentType == InitContainer {
// Just run the refresh method and if anything fails, exit
for _, p := range fileProviders {
err := p.Refresh()
if err != nil {
// os.Exit() or something
logger.Err(err).Msg("Encountered an error while loading secrets from configured file providers")
os.Exit(1)
}
}
logger.Info().Msg("Loaded all secrets into file")
os.Exit(0)
// Exit gracefully
}
for _, p := range fileProviders {
go p.Start()
}
httpServer := server.Create(config, logger)
http.Handle("/", httpServer)
// add a healthcheck
http.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
refreshEndpoint := viper.GetString("refresh_config.endpoint")
if _, hasRefreshConfig := conf["refresh_config"]; hasRefreshConfig {
refreshConfig := make(map[string]provider.FileProvider)
for _, p := range fileProviders {
refreshConfig[p.FileName()] = p
}
refresher := server.RefreshConfig{refreshConfig, logger}
http.Handle(refreshEndpoint, refresher)
logger.Info().Msgf("Refresh endpoint set to: %s", refreshEndpoint)
}
err = http.ListenAndServe(":5353", nil)
if err != nil {
logger.Err(err).Msg("Error from server")
}
}
func getLogLevel(level string, logger zerolog.Logger) zerolog.Level {
levelMap := map[string]zerolog.Level{
"debug": zerolog.DebugLevel,
"info": zerolog.InfoLevel,
"error": zerolog.ErrorLevel,
}
zLevel, ok := levelMap[level]
if !ok {
logger.Info().Msg("Setting log level to 'info'")
return zerolog.InfoLevel
} else {
logger.Info().Msgf("Setting log level to '%s'", level)
return zLevel
}
}
func parseConfig(rawConfig map[string]interface{}, logger zerolog.Logger) (config server.Config, fileProviders []provider.FileProvider, deploymentType DeploymentType, err error) {
config.Providers = make(map[string]provider.HttpProvider)
fileProviders = make([]provider.FileProvider, 0, 0)
for k, v := range rawConfig {
if k == "type" {
t := v.(string)
switch t {
case "initcontainer":
deploymentType = InitContainer
default:
deploymentType = Sidecar
}
continue
}
if k == "log_config" || k == "refresh_config" {
continue
}
providerData, ok := v.(map[string]interface{})
if !ok {
logger.Error().Msgf("Failed to convert config to required type")
return
}
providerTypeI, found := providerData["type"]
if !found {
logger.Error().Msgf("Provider type not specified for %s. Ensure that the type is specified for every provider using the 'type' field", k)
return
}
providerType, ok := providerTypeI.(string)
if !ok {
logger.Error().Msgf("'type' of provider must be a string value")
return
}
sublogger := logger.With().Str("provider_name", k).Str("provider_type", providerType).Logger()
if providerType == aws_secrets_manager {
var provider_ provider.HttpProvider
provider_, err = awsSm.Create(providerData, sublogger)
if err != nil {
sublogger.Err(err).Msgf("Error creating provider")
return
}
config.Providers[k] = provider_
} else if providerType == aws_sm_oauth {
var provider_ provider.HttpProvider
provider_, err = awsSmOauth.Create(providerData, sublogger)
if err != nil {
sublogger.Err(err).Msgf("Error creating provider")
return
}
config.Providers[k] = provider_
} else if providerType == aws_sm_file {
var fProvider_ provider.FileProvider
fProvider_, err = awsSm.CreateAwsSecretsManagerFile(providerData, sublogger)
if err != nil {
sublogger.Err(err).Msgf("Error creating provider")
return
}
fileProviders = append(fileProviders, fProvider_)
} else if providerType == aws_iam_auth_rds {
var iamProvider provider.FileProvider
iamProvider, err = awsIamRds.New(providerData, sublogger)
if err != nil {
sublogger.Err(err).Msgf("Error creating provider")
return
}
fileProviders = append(fileProviders, iamProvider)
} else if providerType == azure_key_vault {
var provider_ provider.HttpProvider
provider_, err = azureKv.Create(providerData, sublogger)
if err != nil {
sublogger.Err(err).Msgf("Error creating provider")
return
}
config.Providers[k] = provider_
} else if providerType == azure_key_vault_file {
var fProvider_ provider.FileProvider
fProvider_, err = azureKv.CreateAzureKeyVaultFile(providerData, sublogger)
if err != nil {
sublogger.Err(err).Msgf("Error creating provider")
return
}
fileProviders = append(fileProviders, fProvider_)
} else {
err = fmt.Errorf("Unknown provider type '%s' specified for provider '%s'", providerType, k)
logger.Err(err).Msgf("Error in config")
return
}
}
return
}
func isDefaultPath(configPath string) bool {
return configPath == ConfigFileDefaultPath
}