adding some optimisation on secret key initialization

amagioss · Jul 16, 2024 · ffcd237 · ffcd237
1 parent 5291bb9
commit ffcd237
Show file tree

Hide file tree

Showing 13 changed files with 45 additions and 32 deletions.
diff --git a/docs/KUBERNETES.md b/docs/KUBERNETES.md
@@ -33,6 +33,11 @@ SLV supports two ways to reconcile SLV vaults as kuberenetes secrets:
 1. [Operator](#operator)
 2. [Job](#job)
 
+SLV is compiled as a single binary, meaning the same binary can act as the CLI, K8s Operator, and K8s Job. Set the respective values to the environment variable `SLV_MODE` to make the SLV container act as an operator or job.
+
+- For Operator Mode set `SLV_MODE=k8s_operator`
+- For Job Mode set `SLV_MODE=k8s_job`
+
 ## Operator
 SLV operator is a kubenetes controller that runs inside a given cluster to write secrets into given namespaces based on changes in SLV resources.
 

diff --git a/internal/cli/commands/cmdvault/access.go b/internal/cli/commands/cmdvault/access.go
@@ -64,7 +64,7 @@ func vaultAccessAddCommand() *cobra.Command {
 			}
 			vault, err := getVault(vaultFile)
 			if err == nil {
-				err = vault.Unlock(*envSecretKey)
+				err = vault.Unlock(envSecretKey)
 				if err == nil {
 					for _, publicKey := range publicKeys {
 						if _, err = vault.Share(publicKey); err != nil {
@@ -113,7 +113,7 @@ func vaultAccessRemoveCommand() *cobra.Command {
 			if err == nil {
 				var envSecretKey *crypto.SecretKey
 				if envSecretKey, err = secretkey.Get(); err == nil {
-					err = vault.Unlock(*envSecretKey)
+					err = vault.Unlock(envSecretKey)
 				}
 				if err == nil {
 					if err = vault.Revoke(publicKeys, pq); err == nil {

diff --git a/internal/cli/commands/cmdvault/deref.go b/internal/cli/commands/cmdvault/deref.go
@@ -34,7 +34,7 @@ func vaultDerefCommand() *cobra.Command {
 				if err != nil {
 					utils.ExitOnError(err)
 				}
-				err = vault.Unlock(*envSecretKey)
+				err = vault.Unlock(envSecretKey)
 				if err != nil {
 					utils.ExitOnError(err)
 				}

diff --git a/internal/cli/commands/cmdvault/get.go b/internal/cli/commands/cmdvault/get.go
@@ -31,7 +31,7 @@ func vaultGetCommand() *cobra.Command {
 			if err != nil {
 				utils.ExitOnError(err)
 			}
-			err = vault.Unlock(*envSecretKey)
+			err = vault.Unlock(envSecretKey)
 			if err != nil {
 				utils.ExitOnError(err)
 			}

diff --git a/internal/cli/commands/cmdvault/shell.go b/internal/cli/commands/cmdvault/shell.go
@@ -41,7 +41,7 @@ func vaultShellCommand() *cobra.Command {
 			if err != nil {
 				utils.ExitOnError(err)
 			}
-			err = vault.Unlock(*envSecretKey)
+			err = vault.Unlock(envSecretKey)
 			if err != nil {
 				utils.ExitOnError(err)
 			}

diff --git a/internal/core/vaults/access.go b/internal/core/vaults/access.go
@@ -119,7 +119,7 @@ func (vlt *Vault) ListAccessors() ([]crypto.PublicKey, error) {
 	return accessors, nil
 }
 
-func (vlt *Vault) Unlock(secretKey crypto.SecretKey) error {
+func (vlt *Vault) Unlock(secretKey *crypto.SecretKey) error {
 	if !vlt.IsLocked() {
 		return nil
 	}

diff --git a/internal/k8s/api/v1/slv_webhook.go b/internal/k8s/api/v1/slv_webhook.go
@@ -53,7 +53,12 @@ var _ webhook.Validator = &SLV{}
 
 func (r *SLV) validateSLV() error {
 	vault := r.Spec.Vault
-	if err := vault.Unlock(*utils.SecretKey()); err != nil {
+	secretKey, err := utils.SecretKey()
+	if err != nil {
+		slvlog.Error(err, "failed to get secret key", "name", r.Name)
+		return err
+	}
+	if err := vault.Unlock(secretKey); err != nil {
 		slvlog.Error(err, "failed to unlock vault", "name", r.Name)
 		return err
 	}

diff --git a/internal/k8s/internal/controller/slv_controller.go b/internal/k8s/internal/controller/slv_controller.go
@@ -114,7 +114,11 @@ func (r *SLVReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.R
 	}
 
 	vault := slvObj.Spec.Vault
-	if err := vault.Unlock(*utils.SecretKey()); err != nil {
+	secretKey, err := utils.SecretKey()
+	if err != nil {
+		return r.returnError(ctx, &slvObj, &logger, err, "Failed to get secret key")
+	}
+	if err := vault.Unlock(secretKey); err != nil {
 		return r.returnError(ctx, &slvObj, &logger, err, "Failed to unlock vault")
 	}
 	slvSecretMap, err := vault.GetAllSecrets()

diff --git a/internal/k8s/job/job.go b/internal/k8s/job/job.go
@@ -6,8 +6,9 @@ import (
 )
 
 func Run() {
-	if err := utils.InitSecretKey(); err != nil {
-		panic(err.Error())
+	secretKey, err := utils.SecretKey()
+	if err != nil {
+		panic(err)
 	}
 
 	config, err := utils.GetKubeClientConfig()
@@ -25,7 +26,7 @@ func Run() {
 		panic(err)
 	}
 
-	if err = slvsToSecrets(clientset, utils.SecretKey(), slvObjs); err != nil {
+	if err = slvsToSecrets(clientset, secretKey, slvObjs); err != nil {
 		panic(err)
 	}
 }
diff --git a/internal/k8s/job/reconciler.go b/internal/k8s/job/reconciler.go
@@ -62,7 +62,7 @@ func listSLVs(cfg *rest.Config) ([]slvv1.SLV, error) {
 }
 
 func toSecret(clientset *kubernetes.Clientset, secretKey *crypto.SecretKey, slvObj slvv1.SLV) error {
-	if err := slvObj.Spec.Unlock(*secretKey); err != nil {
+	if err := slvObj.Spec.Unlock(secretKey); err != nil {
 		return err
 	}
 	slvSecretMap, err := slvObj.Spec.GetAllSecrets()

diff --git a/internal/k8s/operator/operator.go b/internal/k8s/operator/operator.go
@@ -80,7 +80,7 @@ func Run() {
 	setupLog.Info("initializing SLV operator...")
 	setupLog.Info(config.VersionInfo())
 
-	if err := utils.InitSecretKey(); err != nil {
+	if _, err := utils.SecretKey(); err != nil {
 		setupLog.Error(err, "unable to initialize SLV Environment Secret Key")
 		os.Exit(1)
 	}

diff --git a/internal/k8s/utils/key.go b/internal/k8s/utils/key.go
@@ -10,21 +10,26 @@ import (
 	"oss.amagi.com/slv/internal/core/secretkey"
 )
 
-var sKey *crypto.SecretKey
+var (
+	sKey            *crypto.SecretKey
+	sKeyInitialized bool
+)
 
-func InitSecretKey() (err error) {
-	if sKey == nil {
-		sKey, _ = secretkey.Get()
+func SecretKey() (secretKey *crypto.SecretKey, err error) {
+	if sKey == nil && !sKeyInitialized {
+		sKeyInitialized = true
+		sk, _ := secretkey.Get()
 		if clientset, _ := getKubeClientSet(); clientset != nil {
-			if sKey == nil {
-				if sKey, err = getSecretKeyFromCluster(clientset); err != nil && isEnvGenEnabled() {
-					sKey, err = crypto.NewSecretKey(environments.EnvironmentKey)
+			if sk == nil {
+				if sk, err = getSecretKeyFromCluster(clientset); err != nil && isEnvGenEnabled() {
+					sk, err = crypto.NewSecretKey(environments.EnvironmentKey)
 				}
 			}
-			if err == nil && sKey != nil {
+			if err == nil && sk != nil {
+				sKey = sk
 				var pkEC, pkPQ *crypto.PublicKey
-				if pkEC, err = sKey.PublicKey(false); err == nil {
-					if pkPQ, err = sKey.PublicKey(true); err == nil {
+				if pkEC, err = sk.PublicKey(false); err == nil {
+					if pkPQ, err = sk.PublicKey(true); err == nil {
 						var publicKeyEC, publicKeyPQ string
 						if publicKeyEC, err = pkEC.String(); err == nil {
 							if publicKeyPQ, err = pkPQ.String(); err == nil {
@@ -39,14 +44,7 @@ func InitSecretKey() (err error) {
 			sKey = nil
 		}
 	}
-	return err
-}
-
-func SecretKey() *crypto.SecretKey {
-	if err := InitSecretKey(); err != nil {
-		panic(err.Error())
-	}
-	return sKey
+	return sKey, err
 }
 
 func GetPublicKeyFromK8s(namespace string, pq bool) (string, error) {

diff --git a/slv.go b/slv.go
@@ -14,7 +14,7 @@ func getVaultUnlocked(vaultFile string) (*vaults.Vault, error) {
 	if err != nil {
 		return nil, err
 	}
-	if err = vault.Unlock(*secretKey); err != nil {
+	if err = vault.Unlock(secretKey); err != nil {
 		return nil, err
 	}
 	return vault, nil