Merge branch 'main' into ui/VAULT-27414/k8-role-filter

hashicorp · May 28, 2024 · 48477e5 · 48477e5
2 parents 1823fc9 + 476b0d5
commit 48477e5
Show file tree

Hide file tree

Showing 18 changed files with 426 additions and 223 deletions.
diff --git a/changelog/11084.txt b/changelog/11084.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+serviceregistration: Added support for Consul ServiceMeta tags from config file from the new `service_meta` config field.
+```
diff --git a/changelog/26570.txt b/changelog/26570.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+agent: Add metric (vault.agent.authenticated) that is set to 1 when vault agent has a valid token and zero if it does not.
+```
diff --git a/changelog/26660.txt b/changelog/26660.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+storage/etcd: Update etcd3 client to v3.5.13 to allow use of TLSv1.3.
+```
diff --git a/command/agentproxyshared/auth/auth.go b/command/agentproxyshared/auth/auth.go
@@ -145,12 +145,18 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 	backoffCfg := newAutoAuthBackoff(ah.minBackoff, ah.maxBackoff, ah.exitOnError)
 
 	ah.logger.Info("starting auth handler")
+
+	// Set unauthenticated when starting up
+	metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
+
 	defer func() {
 		am.Shutdown()
 		close(ah.OutputCh)
 		close(ah.TemplateTokenCh)
 		close(ah.ExecTokenCh)
 		ah.logger.Info("auth handler stopped")
+		// Set unauthenticated when shutting down
+		metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 	}()
 
 	credCh := am.NewCreds()
@@ -217,6 +223,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error creating client for authentication call", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -244,6 +252,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("could not look up token", "err", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -264,6 +274,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error getting path or data from method", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -277,6 +289,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error creating client for wrapped call", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -315,6 +328,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error authenticating", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -330,6 +345,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if secret.WrapInfo == nil {
 				ah.logger.Error("authentication returned nil wrap info", "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -339,6 +356,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if secret.WrapInfo.Token == "" {
 				ah.logger.Error("authentication returned empty wrapped client token", "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -349,6 +368,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("failed to encode wrapinfo", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -388,6 +409,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if secret == nil || secret.Data == nil {
 					ah.logger.Error("token file validation failed, token may be invalid", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -398,6 +421,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if !ok || token == "" {
 					ah.logger.Error("token file validation returned empty client token", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -414,6 +439,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 					Renewable:     renewable,
 				}
 				ah.logger.Info("authentication successful, sending token to sinks")
+
 				ah.OutputCh <- token
 				if ah.enableTemplateTokenCh {
 					ah.TemplateTokenCh <- token
@@ -430,6 +456,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if secret == nil || secret.Auth == nil {
 					ah.logger.Error("authentication returned nil auth info", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -439,6 +467,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if secret.Auth.ClientToken == "" {
 					ah.logger.Error("authentication returned empty client token", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -471,6 +501,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 		if err != nil {
 			ah.logger.Error("error creating lifetime watcher", "error", err, "backoff", backoffCfg)
 			metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+			// Set unauthenticated when authentication fails
+			metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 			if backoffSleep(ctx, backoffCfg) {
 				continue
@@ -479,6 +511,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 		}
 
 		metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "success"}, 1)
+		metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 1)
 		// We don't want to trigger the renewal process for the root token
 		if isRootToken(leaseDuration, isTokenFileMethod, secret) {
 			ah.logger.Info("not starting token renewal process, as token is root token")
@@ -500,6 +533,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if err != nil {
 					ah.logger.Error("error renewing token", "error", err, "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					// Add some exponential backoff so that if auth is successful
 					// but the watcher errors, we won't go into an immediate
@@ -525,6 +560,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 
 			case <-watcher.RenewCh():
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "success"}, 1)
+				// Set authenticated when authentication succeeds
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 1)
 				ah.logger.Info("renewed auth token")
 
 			case <-credCh:

diff --git a/command/debug.go b/command/debug.go
@@ -4,10 +4,12 @@
 package command
 
 import (
+	"archive/tar"
+	"compress/gzip"
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -26,7 +28,6 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/version"
-	"github.com/mholt/archiver/v3"
 	"github.com/oklog/run"
 	"github.com/posener/complete"
 )
@@ -374,7 +375,7 @@ func (c *DebugCommand) generateIndex() error {
 	}
 
 	// Write out file
-	if err := ioutil.WriteFile(filepath.Join(c.flagOutput, "index.json"), bytes, 0o600); err != nil {
+	if err := os.WriteFile(filepath.Join(c.flagOutput, "index.json"), bytes, 0o600); err != nil {
 		return fmt.Errorf("error generating index file; %s", err)
 	}
 
@@ -778,7 +779,7 @@ func (c *DebugCommand) collectPprof(ctx context.Context) {
 					return
 				}
 
-				err = ioutil.WriteFile(filepath.Join(dirName, target+".prof"), data, 0o600)
+				err = os.WriteFile(filepath.Join(dirName, target+".prof"), data, 0o600)
 				if err != nil {
 					c.captureError("pprof."+target, err)
 				}
@@ -796,13 +797,13 @@ func (c *DebugCommand) collectPprof(ctx context.Context) {
 				return
 			}
 
-			err = ioutil.WriteFile(filepath.Join(dirName, "goroutines.txt"), data, 0o600)
+			err = os.WriteFile(filepath.Join(dirName, "goroutines.txt"), data, 0o600)
 			if err != nil {
 				c.captureError("pprof.goroutines-text", err)
 			}
 		}()
 
-		// If the our remaining duration is less than the interval value
+		// If our remaining duration is less than the interval value
 		// skip profile and trace.
 		runDuration := currentTimestamp.Sub(startTime)
 		if (c.flagDuration+debugDurationGrace)-runDuration < c.flagInterval {
@@ -820,7 +821,7 @@ func (c *DebugCommand) collectPprof(ctx context.Context) {
 				return
 			}
 
-			err = ioutil.WriteFile(filepath.Join(dirName, "profile.prof"), data, 0o600)
+			err = os.WriteFile(filepath.Join(dirName, "profile.prof"), data, 0o600)
 			if err != nil {
 				c.captureError("pprof.profile", err)
 			}
@@ -836,7 +837,7 @@ func (c *DebugCommand) collectPprof(ctx context.Context) {
 				return
 			}
 
-			err = ioutil.WriteFile(filepath.Join(dirName, "trace.out"), data, 0o600)
+			err = os.WriteFile(filepath.Join(dirName, "trace.out"), data, 0o600)
 			if err != nil {
 				c.captureError("pprof.trace", err)
 			}
@@ -972,7 +973,7 @@ func (c *DebugCommand) persistCollection(collection []map[string]interface{}, ou
 	if err != nil {
 		return err
 	}
-	if err := ioutil.WriteFile(filepath.Join(c.flagOutput, outFile), bytes, 0o600); err != nil {
+	if err := os.WriteFile(filepath.Join(c.flagOutput, outFile), bytes, 0o600); err != nil {
 		return err
 	}
 
@@ -984,14 +985,100 @@ func (c *DebugCommand) compress(dst string) error {
 		defer osutil.Umask(osutil.Umask(0o077))
 	}
 
-	tgz := archiver.NewTarGz()
-	if err := tgz.Archive([]string{c.flagOutput}, dst); err != nil {
-		return fmt.Errorf("failed to compress data: %s", err)
+	if err := archiveToTgz(c.flagOutput, dst); err != nil {
+		return fmt.Errorf("failed to compress data: %w", err)
 	}
 
 	// If everything is fine up to this point, remove original directory
 	if err := os.RemoveAll(c.flagOutput); err != nil {
-		return fmt.Errorf("failed to remove data directory: %s", err)
+		return fmt.Errorf("failed to remove data directory: %w", err)
+	}
+
+	return nil
+}
+
+// archiveToTgz compresses all the files in sourceDir to a
+// a tarball at destination.
+func archiveToTgz(sourceDir, destination string) error {
+	file, err := os.Create(destination)
+	if err != nil {
+		return fmt.Errorf("failed to create file: %w", err)
+	}
+	defer file.Close()
+
+	gzipWriter := gzip.NewWriter(file)
+	defer gzipWriter.Close()
+
+	tarWriter := tar.NewWriter(gzipWriter)
+	defer tarWriter.Close()
+
+	err = filepath.Walk(sourceDir,
+		func(filePath string, info os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+			return addFileToTar(sourceDir, filePath, tarWriter)
+		})
+
+	return err
+}
+
+// addFileToTar takes a file at filePath and adds it to the tar
+// being written to by tarWriter, alongside its header.
+// The tar header name will be relative. Example: If we're tarring
+// a file in ~/a/b/c/foo/bar.json, the header name will be foo/bar.json
+func addFileToTar(sourceDir, filePath string, tarWriter *tar.Writer) error {
+	file, err := os.Open(filePath)
+	if err != nil {
+		return fmt.Errorf("failed to open file %q: %w", filePath, err)
+	}
+	defer file.Close()
+
+	stat, err := file.Stat()
+	if err != nil {
+		return fmt.Errorf("failed to stat file %q: %w", filePath, err)
+	}
+
+	var link string
+	mode := stat.Mode()
+	if mode&os.ModeSymlink != 0 {
+		if link, err = os.Readlink(filePath); err != nil {
+			return fmt.Errorf("failed to read symlink for file %q: %w", filePath, err)
+		}
+	}
+	tarHeader, err := tar.FileInfoHeader(stat, link)
+	if err != nil {
+		return fmt.Errorf("failed to create tar header for file %q: %w", filePath, err)
+	}
+
+	// The tar header name should be relative, so remove the sourceDir from it,
+	// but preserve the last directory name.
+	// Example: If we're tarring a file in ~/a/b/c/foo/bar.json
+	// The name should be foo/bar.json
+	sourceDirExceptLastDir := filepath.Dir(sourceDir)
+	headerName := strings.TrimPrefix(filepath.Clean(filePath), filepath.Clean(sourceDirExceptLastDir)+"/")
+
+	// Directories should end with a slash.
+	if stat.IsDir() && !strings.HasSuffix(headerName, "/") {
+		headerName += "/"
+	}
+	tarHeader.Name = headerName
+
+	err = tarWriter.WriteHeader(tarHeader)
+	if err != nil {
+		return fmt.Errorf("failed to write tar header for file %q: %w", filePath, err)
+	}
+
+	// If it's not a regular file (e.g. link or directory) we shouldn't
+	// copy the file. The body of a tar entry (i.e. what's done by the
+	// below io.Copy call) is only required for tar files of TypeReg.
+	if tarHeader.Typeflag != tar.TypeReg {
+		return nil
+	}
+
+	_, err = io.Copy(tarWriter, file)
+	if err != nil {
+		return fmt.Errorf("failed to copy file %q into tarball: %w", filePath, err)
 	}
 
 	return nil
@@ -1008,7 +1095,7 @@ func pprofTarget(ctx context.Context, client *api.Client, target string, params
 	}
 	defer resp.Body.Close()
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -1028,7 +1115,7 @@ func pprofProfile(ctx context.Context, client *api.Client, duration time.Duratio
 	}
 	defer resp.Body.Close()
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -1048,7 +1135,7 @@ func pprofTrace(ctx context.Context, client *api.Client, duration time.Duration)
 	}
 	defer resp.Body.Close()
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}