backport of commit 69fda8da76 (#22923)

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

sdk/helper/pluginutil/run_config.go

@@ -20,6 +20,15 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/pluginruntimeutil"
 )
 
+const (
+	// Labels for plugin container ownership
+	labelVaultPID           = "com.hashicorp.vault.pid"
+	labelVaultClusterID     = "com.hashicorp.vault.cluster.id"
+	labelVaultPluginName    = "com.hashicorp.vault.plugin.name"
+	labelVaultPluginVersion = "com.hashicorp.vault.plugin.version"
+	labelVaultPluginType    = "com.hashicorp.vault.plugin.type"
+)
+
 type PluginClientConfig struct {
 	Name            string
 	PluginType      consts.PluginType
@@ -123,7 +132,10 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
 			Hash:     sha256.New(),
 		}
 	} else {
-		containerCfg := rc.containerConfig(cmd.Env)
+		containerCfg, err := rc.containerConfig(ctx, cmd.Env)
+		if err != nil {
+			return nil, err
+		}
 		clientConfig.SkipHostEnv = true
 		clientConfig.RunnerFunc = containerCfg.NewContainerRunner
 		clientConfig.UnixSocketConfig = &plugin.UnixSocketConfig{
@@ -133,7 +145,11 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
 	return clientConfig, nil
 }
 
-func (rc runConfig) containerConfig(env []string) *plugincontainer.Config {
+func (rc runConfig) containerConfig(ctx context.Context, env []string) (*plugincontainer.Config, error) {
+	clusterID, err := rc.Wrapper.ClusterID(ctx)
+	if err != nil {
+		return nil, err
+	}
 	cfg := &plugincontainer.Config{
 		Image:  rc.image,
 		Tag:    rc.imageTag,
@@ -143,9 +159,14 @@ func (rc runConfig) containerConfig(env []string) *plugincontainer.Config {
 		GroupAdd: os.Getgid(),
 		Runtime:  consts.DefaultContainerPluginOCIRuntime,
 		Labels: map[string]string{
-			"managed-by": "hashicorp.com/vault",
+			labelVaultPID:           strconv.Itoa(os.Getpid()),
+			labelVaultClusterID:     clusterID,
+			labelVaultPluginName:    rc.PluginClientConfig.Name,
+			labelVaultPluginType:    rc.PluginClientConfig.PluginType.String(),
+			labelVaultPluginVersion: rc.PluginClientConfig.Version,
 		},
 	}
+
 	// Use rc.command and rc.args directly instead of cmd.Path and cmd.Args, as
 	// exec.Command may mutate the provided command.
 	if rc.command != "" {
@@ -163,7 +184,7 @@ func (rc runConfig) containerConfig(env []string) *plugincontainer.Config {
 		}
 	}
 
-	return cfg
+	return cfg, nil
 }
 
 func (rc runConfig) run(ctx context.Context) (*plugin.Client, error) {
@@ -240,6 +261,11 @@ func (r *PluginRunner) RunConfig(ctx context.Context, opts ...RunOpt) (*plugin.C
 		sha256:        r.Sha256,
 		env:           r.Env,
 		runtimeConfig: r.RuntimeConfig,
+		PluginClientConfig: PluginClientConfig{
+			Name:       r.Name,
+			PluginType: r.Type,
+			Version:    r.Version,
+		},
 	}
 
 	for _, opt := range opts {

sdk/helper/pluginutil/run_config_test.go

@@ -432,11 +432,16 @@ func (m *mockRunnerUtil) MlockEnabled() bool {
 	return args.Bool(0)
 }
 
+func (m *mockRunnerUtil) ClusterID(ctx context.Context) (string, error) {
+	return "1234", nil
+}
+
 func TestContainerConfig(t *testing.T) {
 	dummySHA, err := hex.DecodeString("abc123")
 	if err != nil {
 		t.Fatal(err)
 	}
+	myPID := strconv.Itoa(os.Getpid())
 	for name, tc := range map[string]struct {
 		rc       runConfig
 		expected plugincontainer.Config
@@ -462,6 +467,9 @@ func TestContainerConfig(t *testing.T) {
 					},
 					Logger:     hclog.NewNullLogger(),
 					AutoMTLS:   true,
+					Name:       "some-plugin",
+					PluginType: consts.PluginTypeCredential,
+					Version:    "v0.1.0",
 				},
 			},
 			expected: plugincontainer.Config{
@@ -477,7 +485,11 @@ func TestContainerConfig(t *testing.T) {
 					fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
 				},
 				Labels: map[string]string{
-					"managed-by": "hashicorp.com/vault",
+					labelVaultPID:           myPID,
+					labelVaultClusterID:     "1234",
+					labelVaultPluginName:    "some-plugin",
+					labelVaultPluginType:    "auth",
+					labelVaultPluginVersion: "v0.1.0",
 				},
 				Runtime:  consts.DefaultContainerPluginOCIRuntime,
 				GroupAdd: os.Getgid(),
@@ -507,6 +519,9 @@ func TestContainerConfig(t *testing.T) {
 					},
 					Logger:     hclog.NewNullLogger(),
 					AutoMTLS:   true,
+					Name:       "some-plugin",
+					PluginType: consts.PluginTypeCredential,
+					Version:    "v0.1.0",
 				},
 			},
 			expected: plugincontainer.Config{
@@ -519,7 +534,11 @@ func TestContainerConfig(t *testing.T) {
 					fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
 				},
 				Labels: map[string]string{
-					"managed-by": "hashicorp.com/vault",
+					labelVaultPID:           myPID,
+					labelVaultClusterID:     "1234",
+					labelVaultPluginName:    "some-plugin",
+					labelVaultPluginType:    "auth",
+					labelVaultPluginVersion: "v0.1.0",
 				},
 				Runtime:      "some-oci-runtime",
 				GroupAdd:     os.Getgid(),
@@ -540,7 +559,8 @@ func TestContainerConfig(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			cfg := tc.rc.containerConfig(cmd.Env)
+			cfg, err := tc.rc.containerConfig(context.Background(), cmd.Env)
+			require.NoError(t, err)
 			require.Equal(t, tc.expected, *cfg)
 		})
 	}

sdk/helper/pluginutil/runner.go

@@ -33,6 +33,7 @@ type RunnerUtil interface {
 	ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)
 	MlockEnabled() bool
 	VaultVersion(ctx context.Context) (string, error)
+	ClusterID(ctx context.Context) (string, error)
 }
 
 // LookRunnerUtil defines the functions for both Looker and Wrapper