Merge pull request #20 from Conjur-Enterprise/CNJR-3722-server-cleanu…

…p-bugfix

CNJR-3722: Server cleanup bugfix

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @cyberark/community-and-integrations-team @conjur-enterprise/community-and-integrations
+
+# Changes to .trivyignore require Security Architect approval
+.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects @conjur-enterprise/conjur-security
+
+# Changes to .codeclimate.yml require Quality Architect approval
+.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architect @conjur-enterprise/conjur-quality
+
+# Changes to SECURITY.md require Security Architect approval
+SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects @conjur-enterprise/conjur-security

CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Changed
+- Nothing should go in this section, please add to the latest unreleased version
+  (and update the corresponding date), or add a new version.
+
+## [0.0.2] - 2023-01-22
+
+### Fixed
+- Fixed an error in Provider termination which prevented the socket used to
+  connect to the Secrets Store CSI Driver from being closed and removed.
+  [Conjur-Enterprise/conjur-k8s-csi-provider#20](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/20)
+
+### Added
+- Added additional logging to gRPC and HTTP servers.
+  [Conjur-Enterprise/conjur-k8s-csi-provider#20](https://github.cyberng.com/Conjur-Enterprise/conjur-k8s-csi-provider/pull/20)
 
 ## [0.0.1] - 2023-12-26
 

CODE_OF_CONDUCT.md

@@ -0,0 +1,60 @@
+# CyberArk Community Code of Conduct
+
+CyberArk is a leader in Privileged Access Management, thanks to its customers and community. We listen to our community and wish to provide additional relevant tools.  We believe that our mission is best served in an environment that is friendly, safe, and accepting; free from intimidation or harassment.
+Towards this end, CyberArk’s developers have created this Community Code of Conduct for the CyberArk open source community.  Our Code of Conduct sets the standard for how developers, and community members can work together in a respectful and collaborative manner.  Those who do not abide by this Code of Conduct will not be permitted to remain part of our community.
+
+## Summary of Key Principles
+
+- Be respectful to others in the community at all times.
+- Report harassing or abusive behavior that you experience or witness at ReportAbuse@cyberark.com
+- The CyberArk community will not tolerate abusive or disrespectful behavior towards its members; anyone engaging in such behavior will be suspended from the CyberArk community.
+
+## Scope
+
+This Code of Conduct applies to all members of the CyberArk community, including paid and unpaid agents, administrators, users, and customers of CyberArk.  It applies in all CyberArk community venues, online and in person, including CyberArk Open Source project communities (such as public GitHub repositories, chat channels, social media, mailing lists, and public events) and in one-on-one communications pertaining to CyberArk affairs.
+This policy covers the usage of CyberArk hosted services, as well as the CyberArk website, CyberArk related events, and any other services offered by or on behalf of CyberArk (collectively, the "Service").
+This Code of Conduct is in addition to, and does not in any way nullify or invalidate, any other terms or conditions related to use of the Service.
+
+## Maintaining a Friendly, Harassment-Free Space
+
+We are committed to providing a friendly, safe and welcoming environment for all, regardless of gender identity, sexual orientation, ability, ethnicity, religion, age, physical appearance, body size, race, or similar personal characteristics.
+We ask that you please respect that people have differences of opinion regarding technical choices, and that every design or implementation choice carries a trade-off and numerous costs. There is seldom a single right answer. A difference of technology preferences is not a license to be rude.
+Harassing other users of the Service for any reason is never tolerated, whether via public or private media. Any spamming, trolling, flaming, baiting, or other attention-stealing behavior is not welcome, and will not be tolerated.
+Even if your intent is not to harass or offend others, be mindful of how your comments might be perceived by others in the community.
+
+## Unacceptable Behavior
+
+The following behaviors are considered harassment under this Code of Conduct and are unacceptable within our community:
+- Violence, threats of violence, or violent language directed against another person or group of people.
+- Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
+- Posting or displaying sexually explicit or violent material.
+- Posting or threatening to post other people’s personally identifying information ("doxing").
+- Personal insults, particularly those related to related to gender identity, sexual orientation, ability, ethnicity, religion, age, physical appearance, body size, race, or similar personal characteristics.
+- Using offensive or harassing nicknames or other identifiers.
+- Inappropriate photography or recording.
+- Inappropriate physical contact. You should have someone’s consent before touching them.
+- Unwelcome sexual attention. This includes: sexualized comments or jokes; inappropriate touching, groping, and unwelcome sexual advances.
+- Deliberate intimidation, stalking, or following (online or in person).
+- Sustained disruption of community events, including talks and presentations.
+- Advocating for, or encouraging, any of the above behavior.
+
+## Reporting Violations
+
+If you witness or experience unacceptable behavior in the CyberArk community, please promptly report it to our team at ReportAbuse@cyberark.com.  If this is the initial report of a problem, please include as much detail as possible. It is easiest for us to address issues when we have more context.
+The CyberArk Community Team will look into any reported issues in a confidential manner and take any necessary actions to address and resolve the problem.
+We will not tolerate any form of retaliation towards users who report these issues to us.
+If you feel that you have been falsely or unfairly accused of violating this Code of Conduct by others in the community, you should notify the ReportAbuse@cyberark.com team so that we can address and resolve the accusation.
+As always, if you have an urgent security issue, contact product_security@cyberark.com and if you have concerns about a potential copyright violation, contact legal@cyberark.com.
+
+## Consequences
+
+All content published to the Service, including user account credentials, is hosted at the sole discretion of the CyberArk administrators.  If a community member engages in unacceptable behavior, the CyberArk administrators may take any action they deem appropriate, up to and including a temporary ban or permanent expulsion from the community without warning. In general, we will choose the course of action that we judge as being most in the interest of fostering a safe and friendly community.
+
+## Contact Info
+Please contact ReportAbuse@cyberark.com if you need to report a problem or address a grievance related to an abuse report.
+You are also encouraged to contact us if you have questions about what constitutes appropriate and inappropriate content. We are happy to provide guidance to help you be a successful part of our community. Our technical community is available [here](https://cyberark-customers.force.com/s/).
+
+## Credit and License
+
+This Code of Conduct borrows from the [npm Code of Conduct](https://www.npmjs.com/policies/conduct), Stumptown Syndicate [Citizen's Code of Conduct](http://citizencodeofconduct.org/), and the [Rust Project Code of Conduct](https://www.rust-lang.org/conduct.html).
+This document may be reused under a [Creative Commons Attribution-ShareAlike License](https://creativecommons.org/licenses/by-sa/4.0/).

README.md

@@ -5,14 +5,30 @@ Conjur's integration for the
 which injects secrets into Kubernetes environments via
 [Container Storage Interface](https://kubernetes-csi.github.io/docs/) volumes.
 
+  * [Certification level](#certification-level)
   * [Requirements](#requirements)
   * [Usage](#usage)
   * [Configuration](#configuration)
     + [Conjur Provider Helm chart](#conjur-provider-helm-chart)
     + [`SecretProviderClass`](#-secretproviderclass-)
   * [Contributing](#contributing)
+  * [Community Support](#community-support)
+  * [Code Maintainers](#code-maintainers)
+  * [License](#license)
 
-<small><i><a href='http://ecotrust-canada.github.io/markdown-toc/'>Table of contents generated with markdown-toc</a></i></small>
+<!---<small><i><a href='http://ecotrust-canada.github.io/markdown-toc/'>Table of contents generated with markdown-toc</a></i></small>--->
+
+Conjur Provider for Secrets Store CSI Driver is part of the CyberArk Conjur
+[Open Source Suite](https://cyberark.github.io/conjur/) of tools.
+
+## Certification level
+
+![](https://img.shields.io/badge/Certification%20Level-Trusted-28A745?link=https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md)
+
+This repo is a **Trusted** level project. It is supported by CyberArk and has
+been verified to work with Conjur Enterprise. For more detailed information on
+our certification levels, see
+[our community guidelines](https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md#trusted).
 
 ## Requirements
 
@@ -225,3 +241,29 @@ The following table lists the configurable parameters on the Conjur Provider's
 ## Contributing
 
 Please read our [Contributing Guide](CONTRIBUTING.md).
+
+## Community Support
+
+Our primary channel for support is through our CyberArk Commons community
+[here](https://discuss.cyberarkcommons.org/c/conjur/5).
+
+## Code Maintainers
+
+CyberArk Conjur Team
+
+## License
+
+Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this software except in compliance with the License. You may obtain a copy of
+the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+
+For the full license text see [LICENSE](./LICENSE).

SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

cmd/conjur-k8s-csi-provider/main.go

@@ -10,36 +10,48 @@ import (
 )
 
 func main() {
-	var s *provider.ConjurProviderServer
-	var h *provider.HealthServer
+	exitCode := 0
 
-	s = provider.NewServer()
+	var providerServer *provider.ConjurProviderServer
+	providerErr := make(chan error)
+	var healthServer *provider.HealthServer
+	healthErr := make(chan error)
+
+	providerServer = provider.NewServer()
 	go func() {
-		err := s.Start()
+		err := providerServer.Start()
 		if err != nil {
-			log.Fatalf("Failed to start CSI provider server: %v", err)
+			providerErr <- err
 		}
 	}()
 
-	h = provider.NewHealthServer(s)
+	healthServer = provider.NewHealthServer(providerServer)
 	go func() {
-		err := h.Start()
+		err := healthServer.Start()
 		if err != nil {
-			log.Fatalf("Failed to start CSI provider health server: %v", err)
+			healthErr <- err
 		}
 	}()
 
 	stop := make(chan os.Signal, 1)
 	signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
-	<-stop
 
-	err := h.Stop()
-	if err != nil {
-		log.Fatalf("Failed to stop the CSI provider health server: %v", err)
+	select {
+	case err := <-providerErr:
+		log.Printf("CSI provider server failed: %v", err)
+		exitCode = 1
+	case err := <-healthErr:
+		log.Printf("CSI provider health server failed: %v", err)
+		exitCode = 1
+	case <-stop:
 	}
 
-	err = s.Stop()
+	err := healthServer.Stop()
 	if err != nil {
-		log.Fatalf("Failed to stop the CSI provider server: %v", err)
+		log.Printf("Failed to stop the CSI provider health server: %v", err)
+		exitCode = 1
 	}
+
+	providerServer.Stop()
+	os.Exit(exitCode)
 }

pkg/provider/health.go

@@ -49,14 +49,20 @@ func newHealthServerWithDeps(
 
 // Start serves the HealthServer's HTTP server on the given port.
 func (h *HealthServer) Start() error {
-	log.Printf("Starting Conjur CSI Provider Health server on port %d...\n", h.port)
+	log.Printf("Serving health server on port %d...\n", h.port)
 	return h.server.ListenAndServe()
 }
 
 // Stop gracefully shuts down the HeathServer's HTTP server.
 func (h *HealthServer) Stop() error {
-	log.Println("Cleaning up Conjur CSI Provider Health server...")
-	return h.server.Shutdown(context.TODO())
+	log.Println("Stopping health server...")
+
+	err := h.server.Shutdown(context.TODO())
+	if err == nil {
+		log.Println("Health server stopped.")
+	}
+
+	return err
 }
 
 func defaultHealthCheckFactory(provider *ConjurProviderServer) func(http.ResponseWriter, *http.Request) {

pkg/provider/server.go

@@ -41,6 +41,8 @@ func newServerWithDeps(
 	mountFunc func(context.Context, *v1alpha1.MountRequest) (*v1alpha1.MountResponse, error),
 	versionFunc func(context.Context, *v1alpha1.VersionRequest) (*v1alpha1.VersionResponse, error),
 ) *ConjurProviderServer {
+	log.Println("Creating and registering gRPC server...")
+
 	grpcServer := grpcFactory()
 	providerServer := &ConjurProviderServer{
 		grpcServer:  grpcServer,
@@ -63,24 +65,20 @@ func (c *ConjurProviderServer) startWithDeps(
 	var err error
 	c.listener, err = listenerFactory("unix", socketPath)
 	if err != nil {
-		return fmt.Errorf("failed to start listener: %w", err)
+		return fmt.Errorf("failed to start socket listener: %w", err)
 	}
 
-	log.Println("Starting Conjur CSI Provider server...")
+	log.Printf("Serving gRPC server on socket %s...\n", socketPath)
 	return c.grpcServer.Serve(c.listener)
 }
 
 // Stop halts the gRPC server and closes the socket listener.
-func (c *ConjurProviderServer) Stop() error {
-	log.Println("Cleaning up Conjur CSI Provider server...")
-	c.grpcServer.GracefulStop()
+func (c *ConjurProviderServer) Stop() {
+	log.Println("Stopping gRPC server...")
 
-	err := c.listener.Close()
-	if err != nil {
-		return err
-	}
+	c.grpcServer.GracefulStop()
 
-	return nil
+	log.Println("gRPC server stopped.")
 }
 
 func (c *ConjurProviderServer) Mount(ctx context.Context, req *v1alpha1.MountRequest) (*v1alpha1.MountResponse, error) {

pkg/provider/server_test.go

@@ -126,7 +126,7 @@ func TestStart(t *testing.T) {
 				return nil, errors.New("listener msg")
 			},
 			assertions: func(t *testing.T, err error) {
-				assert.Equal(t, "failed to start listener: listener msg", err.Error())
+				assert.Equal(t, "failed to start socket listener: listener msg", err.Error())
 			},
 		},
 		{
@@ -163,21 +163,11 @@ func TestStart(t *testing.T) {
 func TestStop(t *testing.T) {
 	testCases := []struct {
 		description string
-		closeErr    error
-		assertions  func(*testing.T, error)
+		assertions  func(*testing.T)
 	}{
-		{
-			description: "listener close fails",
-			closeErr:    errors.New("close msg"),
-			assertions: func(t *testing.T, err error) {
-				assert.Equal(t, "close msg", err.Error())
-				assert.True(t, stopped)
-			},
-		},
 		{
 			description: "happy path",
-			assertions: func(t *testing.T, err error) {
-				assert.Nil(t, err)
+			assertions: func(t *testing.T) {
 				assert.True(t, stopped)
 			},
 		},
@@ -193,18 +183,16 @@ func TestStop(t *testing.T) {
 				}
 			}
 			listenerFactory := func(string, string) (net.Listener, error) {
-				return mockListener{
-					close: func() error { return tc.closeErr },
-				}, nil
+				return mockListener{}, nil
 			}
 
 			p := newServerWithDeps(grpcFactory, nil, nil)
 			err := p.startWithDeps(listenerFactory, "")
 			assert.Nil(t, err)
 			stopped = false
 
-			err = p.Stop()
-			tc.assertions(t, err)
+			p.Stop()
+			tc.assertions(t)
 		})
 	}
 }