Support running plugins in isolated containers (#22712)

Implements running plugins in containers to give them some degree of isolation from the main Vault process and other plugins. It only supports running on Linux initially, where it is easiest to manage unix socket communication across the container boundary. Additionally * Adds -env arg to vault plugin register. * Don't return env from 'vault plugin info' Historically it's been omitted, and it could conceivably have secret information in it, so if we want to return it in the response, it should probably only be via explicit opt-in. Skipping for now though as it's not the main purpose of the commit.
2025-11-02 03:27:54 +00:00 · 2023-09-01 18:55:17 +01:00
parent c26aa9cb9e
commit 07e76196ba
19 changed files with 879 additions and 215 deletions
--- a/helper/testhelpers/pluginhelpers/pluginhelpers.go
+++ b/helper/testhelpers/pluginhelpers/pluginhelpers.go
@@ -12,6 +12,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"strings"
 	"sync"

 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -24,11 +25,13 @@ var (
 )

 type TestPlugin struct {
-	Name     string
-	Typ      consts.PluginType
-	Version  string
-	FileName string
-	Sha256   string
+	Name        string
+	Typ         consts.PluginType
+	Version     string
+	FileName    string
+	Sha256      string
+	Image       string
+	ImageSha256 string
 }

 func GetPlugin(t testing.T, typ consts.PluginType) (string, string, string, string) {
@@ -111,6 +114,7 @@ func CompilePlugin(t testing.T, typ consts.PluginType, pluginVersion string, plu
 		}
 		line = append(line, "-o", pluginPath, pluginMain)
 		cmd := exec.Command("go", line...)
+		cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
 		cmd.Dir = dir
 		output, err := cmd.CombinedOutput()
 		if err != nil {
@@ -144,3 +148,25 @@ func CompilePlugin(t testing.T, typ consts.PluginType, pluginVersion string, plu
 		Sha256:   fmt.Sprintf("%x", sha.Sum(nil)),
 	}
 }
+
+func BuildPluginContainerImage(t testing.T, plugin TestPlugin, pluginDir string) (image string, sha256 string) {
+	t.Helper()
+	ref := plugin.Name
+	if plugin.Version != "" {
+		ref += ":" + strings.TrimPrefix(plugin.Version, "v")
+	}
+	args := []string{"build", "--tag=" + ref, "--build-arg=plugin=" + plugin.FileName, "--file=vault/testdata/Dockerfile", pluginDir}
+	cmd := exec.Command("docker", args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatal(fmt.Errorf("error running docker build %v output: %s", err, output))
+	}
+
+	cmd = exec.Command("docker", "images", ref, "--format={{ .ID }}", "--no-trunc")
+	id, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatal(fmt.Errorf("error running docker build %v output: %s", err, output))
+	}
+
+	return plugin.Name, strings.TrimSpace(strings.TrimPrefix(string(id), "sha256:"))
+}