From 719f8b564a02b2234f6970b2e4b9dd4c1923064d Mon Sep 17 00:00:00 2001 From: Shifna12Zarnaz Date: Tue, 19 Sep 2023 12:30:54 +0530 Subject: [PATCH] Modified vault unseal --- internal/client/vault_seal.go | 9 ++---- internal/job/vault_seal_watcher.go | 48 +++++------------------------- 2 files changed, 10 insertions(+), 47 deletions(-) diff --git a/internal/client/vault_seal.go b/internal/client/vault_seal.go index 3a114187..cba4b038 100644 --- a/internal/client/vault_seal.go +++ b/internal/client/vault_seal.go @@ -21,7 +21,6 @@ func (vc *VaultClient) IsVaultSealed() (bool, error) { func (vc *VaultClient) Unseal() error { - vc.log.Info("Unsealing for first instance inside unseal func") status, err := vc.c.Sys().SealStatus() if err != nil { return err @@ -30,14 +29,13 @@ func (vc *VaultClient) Unseal() error { if !status.Sealed { return nil } - vc.log.Info("Status",status) + rootToken, unsealKeys, err := vc.getVaultSecretValues() if err != nil { return err } - vc.log.Info("Root Token",rootToken) - vc.log.Info("Unseal Keys",unsealKeys) + if !status.Initialized && len(rootToken) == 0 && len(unsealKeys) == 0 { vc.log.Debug("intializing vault secret") err = vc.initializeVaultSecret() @@ -59,8 +57,7 @@ func (vc *VaultClient) Unseal() error { func (vc *VaultClient) initializeVaultSecret() error { unsealKeys, rootToken, err := vc.generateUnsealKeys() - vc.log.Info("Unseal Keys",unsealKeys) - vc.log.Info("Root token",rootToken) + if err != nil { return errors.WithMessage(err, "error while generating unseal keys") } diff --git a/internal/job/vault_seal_watcher.go b/internal/job/vault_seal_watcher.go index a6436a56..5abe7679 100644 --- a/internal/job/vault_seal_watcher.go +++ b/internal/job/vault_seal_watcher.go @@ -32,7 +32,7 @@ func (v *VaultSealWatcher) CronSpec() string { func (v *VaultSealWatcher) Run() { v.log.Debug("started vault seal watcher job") - + var leaderpodip string addresses := []string{ v.conf.Address, v.conf.Address2, @@ -48,16 +48,13 @@ func (v *VaultSealWatcher) Run() { v.log.Errorf("Error while retrieving vault instances %s", err) return } - + var vc *client.VaultClient var vaultClients []*client.VaultClient for _, address := range addresses { - conf := v.conf + conf := v.conf conf.Address = address - - v.log.Debug("Address Configuration", conf) - vc, err := client.NewVaultClient(v.log, conf) if err != nil { @@ -67,14 +64,13 @@ func (v *VaultSealWatcher) Run() { vaultClients = append(vaultClients, vc) } - v.log.Debug("Vault Clients", vaultClients) if v.conf.HAEnabled { v.log.Infof("HA ENABLED", v.conf.HAEnabled) for _, svc := range podname { - var leaderpodip string + switch svc { case "vault-hash-0": vc = vaultClients[0] @@ -87,7 +83,7 @@ func (v *VaultSealWatcher) Run() { vc = vaultClients[2] v.log.Debug("Vault Client", vc) default: - // Handle the case where the service name doesn't match any of the instances + } podip, err := vc.GetPodIP(svc, v.conf.VaultSecretNameSpace) @@ -107,20 +103,13 @@ func (v *VaultSealWatcher) Run() { if svc == "vault-hash-0" { v.log.Info("Unsealing for first instance") - podip, err := vc.GetPodIP(svc, "default") + podip, err := vc.GetPodIP(svc, v.conf.VaultSecretNameSpace) leaderpodip = podip v.log.Info("Leader Ip", leaderpodip) if err != nil { v.log.Errorf("failed to retrieve pod ip, %s", err) return } - - // _, unsealKeys, err := vc.GetVaultSecretValuesforMultiInstance() - // if err != nil { - // v.log.Errorf("Failed to fetch the credential: %v\n", err) - // return - // } - //err = vc.UnsealVaultInstance(podip,unsealKeys) err = vc.Unseal() if err != nil { v.log.Errorf("failed to unseal vault, %s", err) @@ -136,7 +125,7 @@ func (v *VaultSealWatcher) Run() { } v.log.Info("Leader Address", leaderaddr) podip, err := vc.GetPodIP(svc, v.conf.VaultSecretNameSpace) - v.log.Info("Unsealing for second % vinstance", podip) + v.log.Infof("Unsealing for second %v instance", podip) if err != nil { v.log.Errorf("failed to retrieve pod ip, %s", err) return @@ -153,35 +142,12 @@ func (v *VaultSealWatcher) Run() { v.log.Errorf("failed to unseal vault, %s", err) return } - // _, unsealKeys, err := vc.GetVaultSecretValuesforMultiInstance() - // v.log.Debug("Unseal Keys", unsealKeys) - // if err != nil { - // v.log.Errorf("Failed to fetch the credential: %v\n", err) - // return - // } - - // err = vc.UnsealVaultInstance(podip, unsealKeys) - - // if err != nil { - // v.log.Errorf("failed to unseal vault, %s", err) - // return - // } } } } - for _, svc := range podname { - podip, _ := vc.GetPodIP(svc, "default") - res, err := vc.IsVaultSealedForAllInstances(podip) - v.log.Debug("Seal Status of %v :%v", svc, res) - if err != nil { - v.log.Errorf("failed to get vault seal status, %s", err) - return - } - v.log.Infof("vault sealed status: %v", res) - } } }