AutoMTLS for secrets/auth plugins (#15671)

* use automtls for v5 secrets/auth plugins

* add automtls env guard

* start backend without metadata mode

* use PluginClientConfig for backend's NewPluginClient param

refactor

* - fix pluginutil test
- do not expect plugin to be unloaded in UT
- fix pluginutil tests --need new env var
- use require in UT
- fix lazy load test

* add changelog

* prioritize automtls; improve comments

* user multierror; refactor pluginSet for v4 unit test

* add test cases for v4 and v5 plugin versions

* remove unnecessary call to AutoMTLSSupported

* update comment on pluginSets

* use runconfig directly in sdk newpluginclient

* use automtls without metadatamode for v5 backend plugin registration

* use multierror for plugin runconfig calls

* remove some unnecessary code

sdk/plugin/plugin.go

@@ -7,7 +7,6 @@ import (
 	"sync"
 
 	"github.com/hashicorp/errwrap"
-	log "github.com/hashicorp/go-hclog"
 	plugin "github.com/hashicorp/go-plugin"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
@@ -35,7 +34,7 @@ func (b *BackendPluginClient) Cleanup(ctx context.Context) {
 // external plugins, or a concrete implementation of the backend if it is a builtin backend.
 // The backend is returned as a logical.Backend interface. The isMetadataMode param determines whether
 // the plugin should run in metadata mode.
-func NewBackend(ctx context.Context, pluginName string, pluginType consts.PluginType, sys pluginutil.LookRunnerUtil, conf *logical.BackendConfig, isMetadataMode bool) (logical.Backend, error) {
+func NewBackend(ctx context.Context, pluginName string, pluginType consts.PluginType, sys pluginutil.LookRunnerUtil, conf *logical.BackendConfig, isMetadataMode bool, autoMTLS bool) (logical.Backend, error) {
 	// Look for plugin in the plugin catalog
 	pluginRunner, err := sys.LookupPlugin(ctx, pluginName, pluginType)
 	if err != nil {
@@ -59,8 +58,16 @@ func NewBackend(ctx context.Context, pluginName string, pluginType consts.Plugin
 			}
 		}
 	} else {
+		config := pluginutil.PluginClientConfig{
+			Name:           pluginName,
+			PluginType:     pluginType,
+			Logger:         conf.Logger.Named(pluginName),
+			IsMetadataMode: isMetadataMode,
+			AutoMTLS:       autoMTLS,
+			Wrapper:        sys,
+		}
 		// create a backendPluginClient instance
-		backend, err = NewPluginClient(ctx, sys, pluginRunner, conf.Logger, isMetadataMode)
+		backend, err = NewPluginClient(ctx, pluginRunner, config)
 		if err != nil {
 			return nil, err
 		}
@@ -69,34 +76,49 @@ func NewBackend(ctx context.Context, pluginName string, pluginType consts.Plugin
 	return backend, nil
 }
 
-func NewPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunner *pluginutil.PluginRunner, logger log.Logger, isMetadataMode bool) (logical.Backend, error) {
-	// pluginMap is the map of plugins we can dispense.
-	pluginSet := map[int]plugin.PluginSet{
+// pluginSet returns the go-plugin PluginSet that we can dispense. This ensures
+// that plugins that don't support AutoMTLS are run on the appropriate version.
+func pluginSet(autoMTLS, metadataMode bool) map[int]plugin.PluginSet {
+	if autoMTLS {
+		return map[int]plugin.PluginSet{
+			5: {
+				"backend": &GRPCBackendPlugin{
+					MetadataMode:      false,
+					AutoMTLSSupported: true,
+				},
+			},
+		}
+	}
+	return map[int]plugin.PluginSet{
 		// Version 3 used to supports both protocols. We want to keep it around
 		// since it's possible old plugins built against this version will still
 		// work with gRPC. There is currently no difference between version 3
 		// and version 4.
 		3: {
 			"backend": &GRPCBackendPlugin{
-				MetadataMode: isMetadataMode,
+				MetadataMode: metadataMode,
 			},
 		},
 		4: {
 			"backend": &GRPCBackendPlugin{
-				MetadataMode: isMetadataMode,
+				MetadataMode: metadataMode,
 			},
 		},
 	}
+}
 
-	namedLogger := logger.Named(pluginRunner.Name)
+func NewPluginClient(ctx context.Context, pluginRunner *pluginutil.PluginRunner, config pluginutil.PluginClientConfig) (logical.Backend, error) {
+	ps := pluginSet(config.AutoMTLS, config.IsMetadataMode)
 
-	var client *plugin.Client
-	var err error
-	if isMetadataMode {
-		client, err = pluginRunner.RunMetadataMode(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger)
-	} else {
-		client, err = pluginRunner.Run(ctx, sys, pluginSet, handshakeConfig, []string{}, namedLogger)
-	}
+	client, err := pluginRunner.RunConfig(ctx,
+		pluginutil.Runner(config.Wrapper),
+		pluginutil.PluginSets(ps),
+		pluginutil.HandshakeConfig(handshakeConfig),
+		pluginutil.Env(),
+		pluginutil.Logger(config.Logger),
+		pluginutil.MetadataMode(config.IsMetadataMode),
+		pluginutil.AutoMTLS(config.AutoMTLS),
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -126,9 +148,9 @@ func NewPluginClient(ctx context.Context, sys pluginutil.RunnerUtil, pluginRunne
 	}
 
 	// Wrap the backend in a tracing middleware
-	if namedLogger.IsTrace() {
+	if config.Logger.IsTrace() {
 		backend = &backendTracingMiddleware{
-			logger: namedLogger.With("transport", transport),
+			logger: config.Logger.With("transport", transport),
 			next:   backend,
 		}
 	}