VAULT-19255 - Add event based static secret cache updater to Vault Proxy (#23560)

* VAULT-19255 first pass at structure for event updater * VAULT-19255 some more work, committign before rebase * VAULT-19255 Mostly finish event updating scaffolding * VAULT-19255 some additional coverage, clean-up, etc * VAULT-19255 some clean-up * VAULT-19255 fix tests * VAULT-19255 more WIP event system integration * VAULT-19255 More WIP * VAULT-19255 more discovery * VAULT-19255 add new test, some clean up * VAULT-19255 fix bug, extra clean-up * VAULT-19255 fix bugs, and clean up * VAULT-19255 clean imports, add more godocs * VAULT-19255 add config for test * VAULT-19255 typo * VAULT-19255 don't do the kv refactor in this PR * VAULT-19255 update docs * VAULT-19255 PR feedback * VAULT-19255 More specific error messages
2025-10-30 18:17:55 +00:00 · 2023-10-16 10:14:36 -04:00
parent ebfde8f33e
commit d88c06ecaa
9 changed files with 1314 additions and 63 deletions
--- a/command/proxy.go
+++ b/command/proxy.go
@@ -433,6 +433,8 @@ func (c *ProxyCommand) Run(args []string) int {
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	defer cancelFunc()

+	var updater *cache.StaticSecretCacheUpdater
+
 	// Parse proxy cache configurations
 	if config.Cache != nil {
 		cacheLogger := c.logger.Named("cache")
@@ -463,6 +465,33 @@ func (c *ProxyCommand) Run(args []string) int {
 				defer deferFunc()
 			}
 		}
+
+		// If we're caching static secrets, we need to start the updater, too
+		if config.Cache.CacheStaticSecrets {
+			staticSecretCacheUpdaterLogger := c.logger.Named("cache.staticsecretcacheupdater")
+			inmemSink, err := inmem.New(&sink.SinkConfig{
+				Logger: staticSecretCacheUpdaterLogger,
+			}, leaseCache)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error creating inmem sink for static secret updater susbsystem: %v", err))
+				return 1
+			}
+			sinks = append(sinks, &sink.SinkConfig{
+				Logger: staticSecretCacheUpdaterLogger,
+				Sink:   inmemSink,
+			})
+
+			updater, err = cache.NewStaticSecretCacheUpdater(&cache.StaticSecretCacheUpdaterConfig{
+				Client:     client,
+				LeaseCache: leaseCache,
+				Logger:     staticSecretCacheUpdaterLogger,
+				TokenSink:  inmemSink,
+			})
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Error creating static secret cache updater: %v", err))
+				return 1
+			}
+		}
 	}

 	var listeners []net.Listener
@@ -500,7 +529,7 @@ func (c *ProxyCommand) Run(args []string) int {
 		var inmemSink sink.Sink
 		if config.APIProxy != nil {
 			if config.APIProxy.UseAutoAuthToken {
-				apiProxyLogger.Debug("auto-auth token is allowed to be used; configuring inmem sink")
+				apiProxyLogger.Debug("configuring inmem auto-auth sink")
 				inmemSink, err = inmem.New(&sink.SinkConfig{
 					Logger: apiProxyLogger,
 				}, leaseCache)
@@ -699,6 +728,16 @@ func (c *ProxyCommand) Run(args []string) int {
 		})
 	}

+	// Add the static secret cache updater, if appropriate
+	if updater != nil {
+		g.Add(func() error {
+			err := updater.Run(ctx)
+			return err
+		}, func(error) {
+			cancelFunc()
+		})
+	}
+
 	// Server configuration output
 	padding := 24
 	sort.Strings(infoKeys)