feat(state): enhance information that are stored on the state for deb…

…ugging purpose including sa, podname and nodename
numberly · Jun 12, 2024 · 35e12b1 · 35e12b1
1 parent 3334cc5
commit 35e12b1
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 23 deletions.
diff --git a/pkg/k8s/pod_utils.go b/pkg/k8s/pod_utils.go
@@ -36,8 +36,11 @@ func NewPodService(clientset KubernetesClient, cfg *config.Config) PodService {
 }
 
 type PodInformations struct {
-	PodNameUUIDs []string
-	Namespace    string
+	PodNameUUIDs       []string
+	Namespace          string
+	ServiceAccountName string
+	PodName            string
+	NodeName           string
 }
 
 func (p *podServiceImpl) GetAllPodAndNamespace(ctx context.Context) ([]PodInformations, error) {
@@ -61,8 +64,11 @@ func (p *podServiceImpl) GetAllPodAndNamespace(ctx context.Context) ([]PodInform
 	for _, pod := range pods.Items {
 		if uuid, exists := pod.GetAnnotations()[ANNOTATION_VAULT_POD_UUID]; exists {
 			podInfos = append(podInfos, PodInformations{
-				PodNameUUIDs: strings.Split(uuid, ","),
-				Namespace:    pod.Namespace,
+				PodNameUUIDs:       strings.Split(uuid, ","),
+				Namespace:          pod.Namespace,
+				PodName:            pod.Name,
+				NodeName:           pod.Spec.NodeName,
+				ServiceAccountName: pod.Spec.ServiceAccountName,
 			})
 		}
 	}

diff --git a/pkg/k8smutator/k8smutator.go b/pkg/k8smutator/k8smutator.go
@@ -107,7 +107,7 @@ func handlePodConfiguration(ctx context.Context, cfg *config.Config, dbConfs *[]
 			podUuid := generateUUID(logger)
 			podUuids = append(podUuids, podUuid)
 			// Request temporary database credentials from vault using configured role
-			creds, err := vaultConn.GetDbCredentials(ctx, cfg.TokenTTL, podUuid, pod.Namespace, cfg.VaultSecretName, cfg.VaultSecretPrefix)
+			creds, err := vaultConn.GetDbCredentials(ctx, cfg.TokenTTL, podUuid, pod.Namespace, cfg.VaultSecretName, cfg.VaultSecretPrefix, pod.Spec.ServiceAccountName)
 			if err != nil {
 				vaultConn.RevokeSelfToken(ctx, vaultConn.K8sSaVaultToken, "", "")
 				return nil, dbConf.Role, nil, errors.Newf("cannot get database credentials from role %s: %s", dbConf.Role, err.Error())

diff --git a/pkg/vault/handle_token.go b/pkg/vault/handle_token.go
@@ -14,26 +14,43 @@ import (
 )
 
 type KeyInformation struct {
-	PodNameUID string
-	LeaseId    string
-	TokenId    string
-	Namespace  string
+	PodNameUID     string
+	LeaseId        string
+	TokenId        string
+	Namespace      string
+	PodName        string
+	NodeName       string
+	ServiceAccount string
 }
 
-func NewKeyInformation(podName, leaseId, tokenId, namespace string) *KeyInformation {
+func NewKeyInformation(podUuid, leaseId, tokenId, namespace, serviceAccount string, podName ...string) *KeyInformation {
+	var pn string
+	var nn string
+	if len(podName) > 0 {
+		pn = podName[0]
+	}
+	if len(podName) > 1 {
+		nn = podName[1]
+	}
 	return &KeyInformation{
-		PodNameUID: podName,
-		LeaseId:    leaseId,
-		TokenId:    tokenId,
-		Namespace:  namespace,
+		PodNameUID:     podUuid,
+		LeaseId:        leaseId,
+		TokenId:        tokenId,
+		Namespace:      namespace,
+		PodName:        pn,
+		NodeName:       nn,
+		ServiceAccount: serviceAccount,
 	}
 }
 
 func (c *Connector) StoreData(ctx context.Context, vaultInformation *KeyInformation, secretName, uuid, namespace, prefix string) (string, error) {
 	data := map[string]interface{}{
-		"LeaseId":   vaultInformation.LeaseId,
-		"TokenId":   vaultInformation.TokenId,
-		"Namespace": vaultInformation.Namespace,
+		"LeaseId":            vaultInformation.LeaseId,
+		"TokenId":            vaultInformation.TokenId,
+		"Namespace":          vaultInformation.Namespace,
+		"ServiceAccountName": vaultInformation.ServiceAccount,
+		"PodName":            vaultInformation.PodName,
+		"NodeName":           vaultInformation.NodeName,
 	}
 
 	kv := c.client.KVv2(secretName)
@@ -72,6 +89,9 @@ func (c *Connector) DeleteData(ctx context.Context, podName, secretName, uuid, n
 }
 
 func safeString(v interface{}) string {
+	if v == nil {
+		return ""
+	}
 	s, _ := v.(string)
 	return s
 }
@@ -98,6 +118,9 @@ func (c *Connector) GetKeyInformations(ctx context.Context, podName, uuid, path,
 		safeString(dataMap["LeaseId"]),
 		safeString(dataMap["TokenId"]),
 		safeString(dataMap["Namespace"]),
+		safeString(dataMap["ServiceAccountName"]),
+		safeString(dataMap["PodName"]),
+		safeString(dataMap["NodeName"]),
 	)
 
 	return keyInfo, nil
@@ -163,6 +186,9 @@ func (c *Connector) ListKeyInformations(ctx context.Context, path, prefix string
 				safeString(dataMap["LeaseId"]),
 				safeString(dataMap["TokenId"]),
 				safeString(dataMap["Namespace"]),
+				safeString(dataMap["ServiceAccountName"]),
+				safeString(dataMap["PodName"]),
+				safeString(dataMap["NodeName"]),
 			)
 			keyInformationsChan <- keyInfo
 		}(k)
@@ -250,6 +276,14 @@ func (c *Connector) HandleTokens(ctx context.Context, cfg *config.Config, keysIn
 					isOk = false
 					return
 				}
+				if ki.ServiceAccount == "" || ki.NodeName == "" || ki.PodName == "" {
+					fullyKiInformations := NewKeyInformation(ki.PodNameUID, ki.LeaseId, ki.TokenId, ki.Namespace, podInfoMap[ki.PodNameUID].ServiceAccountName, podInfoMap[ki.PodNameUID].PodName, podInfoMap[ki.PodNameUID].NodeName)
+					c.Log.Debugf("Renewing information for UUID %s", ki.PodNameUID)
+					status, err := c.StoreData(ctx, fullyKiInformations, secretName, ki.PodNameUID, ki.Namespace, prefix)
+					if err != nil {
+						c.Log.Infof("%s : Extended vault information could not been saved, process will continue : %v", status, err)
+					}
+				}
 			} else {
 				leaseTooYoung, err := c.isLeaseTooYoung(ctx, ki.LeaseId)
 				if err != nil {

diff --git a/pkg/vault/handle_token_test.go b/pkg/vault/handle_token_test.go
@@ -48,8 +48,9 @@ func TestNewKeyInformation(t *testing.T) {
 	leaseId := "lease-id"
 	tokenId := "token-id"
 	namespace := "test-namespace"
+	serviceaccount := "sa"
 
-	keyInfo := NewKeyInformation(podName, leaseId, tokenId, namespace)
+	keyInfo := NewKeyInformation(podName, leaseId, tokenId, namespace, serviceaccount)
 	assert.Equal(t, podName, keyInfo.PodNameUID)
 	assert.Equal(t, leaseId, keyInfo.LeaseId)
 	assert.Equal(t, tokenId, keyInfo.TokenId)
@@ -125,6 +126,7 @@ func TestStoreData(t *testing.T) {
 				assert.Equal(t, tt.vaultInfo.LeaseId, data["LeaseId"])
 				assert.Equal(t, tt.vaultInfo.TokenId, data["TokenId"])
 				assert.Equal(t, tt.vaultInfo.Namespace, data["Namespace"])
+				assert.Equal(t, tt.vaultInfo.ServiceAccount, data["ServiceAccountName"])
 			}
 		})
 	}
@@ -179,9 +181,10 @@ func TestDeleteData(t *testing.T) {
 				// Setup data to delete
 				data := map[string]interface{}{
 					"data": map[string]interface{}{
-						"LeaseId":   "lease-id",
-						"TokenId":   "token-id",
-						"Namespace": "namespace",
+						"LeaseId":            "lease-id",
+						"TokenId":            "token-id",
+						"Namespace":          "namespace",
+						"ServiceAccountName": "sa",
 					},
 				}
 				_, err := client.Logical().Write("vault-db-injector/data/"+tt.prefix+"/"+tt.podName, data)

diff --git a/pkg/vault/vault.go b/pkg/vault/vault.go
@@ -168,7 +168,7 @@ func (c *Connector) CanIGetRoles(serviceAccountName, namespace, vaultAuthPath, d
 	return true, nil
 }
 
-func (c *Connector) GetDbCredentials(ctx context.Context, ttl, PodNameUID, namespace, secretName, prefix string) (*DbCreds, error) {
+func (c *Connector) GetDbCredentials(ctx context.Context, ttl, PodNameUID, namespace, secretName, prefix, serviceAccount string) (*DbCreds, error) {
 	// Create orphan token before retrieving BDD IDs
 	var policies []string
 	policies = append(policies, c.dbRole)
@@ -198,7 +198,7 @@ func (c *Connector) GetDbCredentials(ctx context.Context, ttl, PodNameUID, names
 	creds.DbLeaseId = secret.LeaseID
 	creds.DbTokenId = c.vaultToken
 
-	vaultInformation := NewKeyInformation(PodNameUID, creds.DbLeaseId, creds.DbTokenId, namespace)
+	vaultInformation := NewKeyInformation(PodNameUID, creds.DbLeaseId, creds.DbTokenId, namespace, serviceAccount, "", "")
 
 	c.SetToken(c.K8sSaVaultToken)