scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-03 20:17:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
add-connection-status
vault/command/agent/internal/ctmanager/runner_config.go
Peter Wilson 64dfff080a Fix non-JSON log messages when using -log-format JSON (#24252) 
* Fix non-JSON log messages when using -log-format JSON

Removed the call to consul-template's logging.Setup inside the created of config for the Runner. Instead we call it when we assign the logger to the Agent command.

* The elusive extra line

* Adjust the approach

* changelog

* Infer levels *with* timestamp prefix

* InferLeveslWithTimestamp required InferLevels

* Test to show -log-format and -log-file working in consul-template generated messages

* classic typo

---------

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-11-29 12:46:18 +00:00

152 lines
4.9 KiB
Go
Raw Permalink Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package ctmanager
import (
"fmt"
"io"
"strings"
ctconfig "github.com/hashicorp/consul-template/config"
ctlogging "github.com/hashicorp/consul-template/logging"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/command/agent/config"
"github.com/hashicorp/vault/sdk/helper/pointerutil"
)
type ManagerConfig struct {
AgentConfig *config.Config
Namespace string
LogLevel hclog.Level
LogWriter io.Writer
}
// NewConfig returns a consul-template runner configuration, setting the
// Vault and Consul configurations based on the clients configs.
func NewConfig(mc ManagerConfig, templates ctconfig.TemplateConfigs) (*ctconfig.Config, error) {
conf := ctconfig.DefaultConfig()
conf.Templates = templates.Copy()
// Setup the Vault config
// Always set these to ensure nothing is picked up from the environment
conf.Vault.RenewToken = pointerutil.BoolPtr(false)
conf.Vault.Token = pointerutil.StringPtr("")
conf.Vault.Address = &mc.AgentConfig.Vault.Address
if mc.Namespace != "" {
conf.Vault.Namespace = &mc.Namespace
}
if mc.AgentConfig.TemplateConfig != nil && mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 {
conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt
}
if mc.AgentConfig.DisableIdleConnsTemplating {
idleConns := -1
conf.Vault.Transport.MaxIdleConns = &idleConns
}
if mc.AgentConfig.DisableKeepAlivesTemplating {
conf.Vault.Transport.DisableKeepAlives = pointerutil.BoolPtr(true)
}
conf.Vault.SSL = &ctconfig.SSLConfig{
Enabled: pointerutil.BoolPtr(false),
Verify: pointerutil.BoolPtr(false),
Cert: pointerutil.StringPtr(""),
Key: pointerutil.StringPtr(""),
CaCert: pointerutil.StringPtr(""),
CaPath: pointerutil.StringPtr(""),
ServerName: pointerutil.StringPtr(""),
}
// If Vault.Retry isn't specified, use the default of 12 retries.
// This retry value will be respected regardless of if we use the cache.
attempts := ctconfig.DefaultRetryAttempts
if mc.AgentConfig.Vault != nil && mc.AgentConfig.Vault.Retry != nil {
attempts = mc.AgentConfig.Vault.Retry.NumRetries
}
// Use the cache if available or fallback to the Vault server values.
if mc.AgentConfig.Cache != nil {
if mc.AgentConfig.Cache.InProcDialer == nil {
return nil, fmt.Errorf("missing in-process dialer configuration")
}
if conf.Vault.Transport == nil {
conf.Vault.Transport = &ctconfig.TransportConfig{}
}
conf.Vault.Transport.CustomDialer = mc.AgentConfig.Cache.InProcDialer
// The in-process dialer ignores the address passed in, but we're still
// setting it here to override the setting at the top of this function,
// and to prevent the vault/http client from defaulting to https.
conf.Vault.Address = pointerutil.StringPtr("http://127.0.0.1:8200")
} else if strings.HasPrefix(mc.AgentConfig.Vault.Address, "https") || mc.AgentConfig.Vault.CACert != "" {
skipVerify := mc.AgentConfig.Vault.TLSSkipVerify
verify := !skipVerify
conf.Vault.SSL = &ctconfig.SSLConfig{
Enabled: pointerutil.BoolPtr(true),
Verify: &verify,
Cert: &mc.AgentConfig.Vault.ClientCert,
Key: &mc.AgentConfig.Vault.ClientKey,
CaCert: &mc.AgentConfig.Vault.CACert,
CaPath: &mc.AgentConfig.Vault.CAPath,
ServerName: &mc.AgentConfig.Vault.TLSServerName,
}
}
enabled := attempts > 0
conf.Vault.Retry = &ctconfig.RetryConfig{
Attempts: &attempts,
Enabled: &enabled,
}
// Sync Consul Template's retry with user set auto-auth initial backoff value.
// This is helpful if Auto Auth cannot get a new token and CT is trying to fetch
// secrets.
if mc.AgentConfig.AutoAuth != nil && mc.AgentConfig.AutoAuth.Method != nil {
if mc.AgentConfig.AutoAuth.Method.MinBackoff > 0 {
conf.Vault.Retry.Backoff = &mc.AgentConfig.AutoAuth.Method.MinBackoff
}
if mc.AgentConfig.AutoAuth.Method.MaxBackoff > 0 {
conf.Vault.Retry.MaxBackoff = &mc.AgentConfig.AutoAuth.Method.MaxBackoff
}
}
conf.Finalize()
// setup log level from TemplateServer config
conf.LogLevel = logLevelToStringPtr(mc.LogLevel)
if err := ctlogging.Setup(&ctlogging.Config{
Level: *conf.LogLevel,
Writer: mc.LogWriter,
}); err != nil {
return nil, err
}
return conf, nil
}
// logLevelToString converts a go-hclog level to a matching, uppercase string
// value. It's used to convert Vault Agent's hclog level to a string version
// suitable for use in Consul Template's runner configuration input.
func logLevelToStringPtr(level hclog.Level) *string {
// consul template's default level is WARN, but Vault Agent's default is INFO,
// so we use that for the Runner's default.
var levelStr string
switch level {
case hclog.Trace:
levelStr = "TRACE"
case hclog.Debug:
levelStr = "DEBUG"
case hclog.Warn:
levelStr = "WARN"
case hclog.Error:
levelStr = "ERR"
default:
levelStr = "INFO"
}
return pointerutil.StringPtr(levelStr)
}
Reference in New Issue View Git Blame Copy Permalink