Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault token caching does not seem to work properly #536

Closed
DaThumpingRabbit opened this issue Aug 14, 2023 · 1 comment
Closed

Vault token caching does not seem to work properly #536

DaThumpingRabbit opened this issue Aug 14, 2023 · 1 comment

Comments

@DaThumpingRabbit
Copy link
Contributor

Describe the bug
The plugin does not seem to re-use the vault token generated and cached at ~/.avp/config.json.

To Reproduce
I have a custom sidecar using AVP in a volume downloaded from an init container in ArgoCD, I mounted a volume at the ~/.avp/config.json path of the container to allow argocd user (999) to read and write there.
I am using k8s auth-type and every time the plugin runs in the sidecar, it generates a new vault token and caches it in the file

Expected behavior
I would expect the plugin to re-use the token until the ttl is reached.

Screenshots/Verbose output
vault configuration configmap

apiVersion: v1
kind: ConfigMap
data:
  config.yaml: |
    VAULT_ADDR: https://XXX/
    VAULT_NAMESPACE: YYY
    AVP_TYPE: "vault"
    AVP_AUTH_TYPE: "k8s"
    AVP_K8S_ROLE: "argocd-test"
    AVP_K8S_MOUNT_PATH: "auth/ZZZ"
    AVP_K8S_TOKEN_PATH: /var/run/secrets/tokens/vault-token
immutable: false

avp container

 - command:
    - /var/run/argocd/argocd-cmp-server
    image: my-registry.com/cmp-vault:my-tag
    name: argocd-vault-plugin
    securityContext:
      runAsNonRoot: true
      runAsUser: 999
    volumeMounts:
    - mountPath: /usr/local/bin/argocd-vault-plugin
      name: custom-tools
      subPath: argocd-vault-plugin
    - mountPath: /var/run/secrets/tokens
      name: vault-token
    - mountPath: /etc/argocd-vault-plugin
      name: vault-configuration
    - mountPath: /var/run/argocd
      name: var-files
    - mountPath: /home/argocd/cmp-server/plugins
      name: plugins
    - mountPath: /tmp
      name: argocd-vault-plugin-tmp
    - mountPath: /.avp
      name: argocd-vault-plugin-cache
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-dcb4s
      readOnly: true

logs with verbose-sensitive-output flag

2023/08/14 13:09:15 reading configuration from config file /etc/argocd-vault-plugin/config.yaml, overriding any previous settings
2023/08/14 13:09:15 Setting VAULT_ADDR to https://XXX/ for backend SDK
2023/08/14 13:09:15 Setting VAULT_NAMESPACE to YYY for backend SDK
2023/08/14 13:09:15 reading configuration from environment, overriding any previous settings
2023/08/14 13:09:15 AVP configured with the following settings:
2023/08/14 13:09:15 avp_k8s_role: argocd-test
2023/08/14 13:09:15 avp_k8s_mount_path: auth/ZZZ
2023/08/14 13:09:15 avp_kv_version: 2
2023/08/14 13:09:15 avp_k8s_token_path: /var/run/secrets/tokens/vault-token
2023/08/14 13:09:15 vault_addr: https://XXX/
2023/08/14 13:09:15 vault_namespace: YYY
2023/08/14 13:09:15 avp_type: vault
2023/08/14 13:09:15 avp_auth_type: k8s
2023/08/14 13:09:15 Hashicorp Vault authenticating with Vault role argocd-test using Kubernetes service account token /var/run/secrets/kubernetes.io/serviceaccount/token read from REDACTED
2023/08/14 13:09:15 Hashicorp Vault authentication response: REDACTED
2023/08/14 13:09:15 found placeholder path:SECRET with modifiers [ base64encode]
2023/08/14 13:09:15 calling GetIndividualSecret for secret ****** from path SECRET at version
2023/08/14 13:09:15 Hashicorp Vault getting kv pairs from KV-V1 path SECRET
2023/08/14 13:09:15 Hashicorp Vault get kv pairs response: REDACTED
2023/08/14 13:09:15 processing modifier base64encode with args ["base64encode"]
apiVersion: v1
data:
  TEST: ******
kind: Secret
metadata:
  annotations: {}
  labels:
    name: test
  name: test
  namespace: test
type: Opaque
---

Additional context
I have checked multiple things already, the cache file is updated at every run of the plugin even though the vault backend role is configured for a TTL of 5 minutes (max ttl and explicit max ttl)

I have tried to check inside the code (I am no Go expert) and found where the token is stored https://github.com/argoproj-labs/argocd-vault-plugin/blob/main/pkg/utils/util.go#L62 but I couldn't find where the function to retrieve it is called (https://github.com/argoproj-labs/argocd-vault-plugin/blob/main/pkg/utils/util.go#L20)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@werne2j @DaThumpingRabbit