v0.17.1: version bump and bug fixes (#350)

* v0.17.1 * recent set of fixes * test * gpg test * version bump --------- Co-authored-by: Volkan Ozcelik <[email protected]>
shieldworks · May 28, 2023 · 5f1ff40 · 5f1ff40
1 parent 1b37bfc
commit 5f1ff40
Show file tree

Hide file tree

Showing 41 changed files with 187 additions and 67 deletions.
diff --git a/Makefile b/Makefile
@@ -7,7 +7,7 @@
 #
 
 # The common version tag assigned to all the things.
-VERSION=0.17.0
+VERSION=0.17.1
 
 # tags a release
 tag:

diff --git a/app/safe/internal/bootstrap/bootstrap.go b/app/safe/internal/bootstrap/bootstrap.go
@@ -21,12 +21,12 @@ import (
  "time"
 )
 
-// NotifyTimeout waits for the duration specified by env.SafeSvidRetrievalTimeout()
+// NotifyTimeout waits for the duration specified by env.SafeBootstrapTimeout()
 // and then sends a 'true' value to the provided 'timedOut' channel. This function
 // can be used to notify other parts of the application when a specific timeout
 // has been reached.
 func NotifyTimeout(timedOut chan<- bool) {
- time.Sleep(env.SafeSvidRetrievalTimeout())
+ time.Sleep(env.SafeBootstrapTimeout())
  timedOut <- true
 }
 

diff --git a/app/safe/internal/server/route/delete.go b/app/safe/internal/server/route/delete.go
@@ -117,7 +117,7 @@ func Delete(cid string, w http.ResponseWriter, r *http.Request, svid string) {
  CorrelationId: cid,
  },
  })
- log.DebugLn(&cid, "Delete:End: workloadId", workloadId)
+ log.DebugLn(&cid, "Delete:End: workloadId:", workloadId)
 
  j.Event = audit.EventOk
  audit.Log(j)

diff --git a/app/safe/internal/state/secret-queue-delete.go b/app/safe/internal/state/secret-queue-delete.go
@@ -21,7 +21,7 @@ import (
 // writes to the same file at a time. An alternative approach would be
 // to have a map of queues of `SecretsStored`s per file name but that
 // feels like an overkill.
-var secretDeleteQueue = make(chan entity.SecretStored, env.SafeSecretBufferSize())
+var secretDeleteQueue = make(chan entity.SecretStored, env.SafeSecretDeleteBufferSize())
 
 func processSecretDeleteQueue() {
  errChan := make(chan error)

diff --git a/app/safe/internal/state/secret-queue-k8s-delete.go b/app/safe/internal/state/secret-queue-k8s-delete.go
@@ -11,13 +11,16 @@ package state
 import (
  entity "github.com/shieldworks/aegis/core/entity/data/v1"
  "github.com/shieldworks/aegis/core/env"
- "github.com/shieldworks/aegis/core/log"
 )
 
 // The secrets put here are synced with their Kubernetes Secret counterparts.
-var k8sSecretDeleteQueue = make(chan entity.SecretStored, env.SafeSecretBufferSize())
+var k8sSecretDeleteQueue = make(chan entity.SecretStored, env.SafeK8sSecretDeleteBufferSize())
 
 func processK8sSecretDeleteQueue() {
- id := "AEGIHK8D"
- log.InfoLn(&id, "processK8sSecretDeleteQueue: <implement:me>")
+ // id := "AEGIHK8D"
+
+ // No need to implement this; but we’ll keep the placeholder here, in case
+ // we find a need for it in the future.
+ //
+ // @see https://github.com/shieldworks/aegis/issues/268
 }
diff --git a/app/safe/internal/state/secret-queue-k8s.go b/app/safe/internal/state/secret-queue-k8s.go
@@ -15,7 +15,7 @@ import (
 )
 
 // The secrets put here are synced with their Kubernetes Secret counterparts.
-var k8sSecretQueue = make(chan entity.SecretStored, env.SafeSecretBufferSize())
+var k8sSecretQueue = make(chan entity.SecretStored, env.SafeK8sSecretBufferSize())
 
 func processK8sSecretQueue() {
  errChan := make(chan error)

diff --git a/app/safe/internal/state/state.go b/app/safe/internal/state/state.go
@@ -12,16 +12,17 @@ import (
  "bytes"
  "encoding/base64"
  entity "github.com/shieldworks/aegis/core/entity/data/v1"
+ "github.com/shieldworks/aegis/core/env"
  "github.com/shieldworks/aegis/core/log"
- "sync"
  "time"
 )
 
 const InitialSecretValue = `{"empty":true}`
 const BlankAgeKeyValue = "{}"
 
+// ageKey is set only once during initialization; we don’t need to lock
+// access to it.
 var ageKey = ""
-var lock sync.Mutex
 
 // Initialize starts two goroutines: one to process the secret queue and
 // another to process the Kubernetes secret queue. These goroutines are
@@ -34,9 +35,9 @@ func Initialize() {
 }
 
 // SetAgeKey sets the age key to be used for encryption and decryption.
+// This function is not thread-safe and should only be called once during
+// initialization.
 func SetAgeKey(k string) {
- lock.Lock()
- defer lock.Unlock()
  ageKey = k
 }
 
@@ -204,7 +205,10 @@ func UpsertSecret(secret entity.SecretStored, appendValue bool) {
  }
 
  useK8sSecrets := secret.Meta.UseKubernetesSecret
- if useK8sSecrets {
+
+ // If useK8sSecrets is not set, use the value from the environment.
+ // The environment value defaults to false, too, if not set.
+ if useK8sSecrets || env.SafeUseKubernetesSecrets() {
  log.TraceLn(
  &cid,
  "UpsertSecret: will push Kubernetes secret. len", len(k8sSecretQueue),
@@ -242,7 +246,10 @@ func DeleteSecret(secret entity.SecretStored) {
  }
 
  useK8sSecrets := secret.Meta.UseKubernetesSecret
- if useK8sSecrets {
+
+ // If useK8sSecrets is not set, use the value from the environment.
+ // The environment value defaults to false, too, if not set.
+ if useK8sSecrets || env.SafeUseKubernetesSecrets() {
  log.TraceLn(
  &cid,
  "DeleteSecret: will push Kubernetes secret to delete. len", len(k8sSecretDeleteQueue),

diff --git a/app/safe/internal/state/stats.go b/app/safe/internal/state/stats.go
@@ -19,7 +19,7 @@ type Status struct {
  K8sQueueLen int
  K8sQueueCap int
  NumSecrets int
- lock *sync.Mutex
+ lock *sync.RWMutex
 }
 
 var currentState = Status{
@@ -28,7 +28,7 @@ var currentState = Status{
  K8sQueueLen: 0,
  K8sQueueCap: 0,
  NumSecrets: 0,
- lock: &sync.Mutex{},
+ lock: &sync.RWMutex{},
 }
 
 // Increment is a method for the Status struct that increments the NumSecrets
@@ -56,8 +56,8 @@ func (s *Status) Decrement(name string) {
 // Stats returns a copy of the currentState Status object, providing a snapshot
 // of the current status of the secret manager.
 func Stats() Status {
- currentState.lock.Lock()
- defer currentState.lock.Unlock()
+ currentState.lock.RLock()
+ defer currentState.lock.RUnlock()
 
  currentState.K8sQueueCap = cap(k8sSecretQueue)
  currentState.K8sQueueLen = len(k8sSecretQueue)

diff --git a/core/audit/audit.go b/core/audit/audit.go
@@ -37,9 +37,10 @@ type JournalEntry struct {
  Event Event
 }
 
-func printAudit(correlationId, method, url, svid, message string) {
+func printAudit(correlationId, entityName, method, url, svid, message string) {
  log.AuditLn(
  &correlationId,
+ entityName,
  "{{"+
  "method:[["+method+"]],"+
  "url:[["+url+"]],"+
@@ -52,50 +53,72 @@ func Log(e JournalEntry) {
  if e.Entity == nil {
  printAudit(
  e.CorrelationId,
+ "nil",
  e.Method, e.Url, e.Svid, string(e.Event),
  )
  }
 
  switch v := e.Entity.(type) {
+ case reqres.SecretDeleteRequest:
+ printAudit(
+ e.CorrelationId,
+ "SecretDeleteRequest",
+ e.Method, e.Url, e.Svid,
+ "w:'"+v.WorkloadId+"',e:'"+v.Err+"',m:'"+string(e.Event)+"'",
+ )
+ case reqres.SecretDeleteResponse:
+ printAudit(
+ e.CorrelationId,
+ "SecretDeleteResponse",
+ e.Method, e.Url, e.Svid,
+ "e:'"+v.Err+"',m:'"+string(e.Event)+"'",
+ )
  case reqres.SecretFetchRequest:
  printAudit(
  e.CorrelationId,
+ "SecretFetchRequest",
  e.Method, e.Url, e.Svid,
  "e:'"+v.Err+"',m:'"+string(e.Event)+"'",
  )
  case reqres.SecretFetchResponse:
  printAudit(
  e.CorrelationId,
+ "SecretFetchResponse",
  e.Method, e.Url, e.Svid,
  "e:'"+v.Err+",'c:'"+v.Created+",'u:'"+v.Updated+",'m:'"+string(e.Event)+"'",
  )
  case reqres.SecretUpsertRequest:
  printAudit(
  e.CorrelationId,
+ "SecretUpsertRequest",
  e.Method, e.Url, e.Svid,
  "e:'"+v.Err+"',m:'"+string(e.Event)+"'",
  )
  case reqres.SecretUpsertResponse:
  printAudit(
  e.CorrelationId,
+ "SecretUpsertResponse",
  e.Method, e.Url, e.Svid,
  "e:'"+v.Err+"',m:'"+string(e.Event)+"'",
  )
  case reqres.SecretListRequest:
  printAudit(
  e.CorrelationId,
+ "SecretListRequest",
  e.Method, e.Url, e.Svid,
  "e:'"+v.Err+"',m:'"+string(e.Event)+"'",
  )
  case reqres.SecretListResponse:
  printAudit(
  e.CorrelationId,
+ "SecretListResponse",
  e.Method, e.Url, e.Svid,
  "e:'"+v.Err+"',m:'"+string(e.Event)+"'",
  )
  default:
  printAudit(
  e.CorrelationId,
+ "UnknownEntity",
  e.Method, e.Url, e.Svid,
  "e: UNKNOWN ENTITY in AUDIT LOG",
  )

diff --git a/core/env/safe.go b/core/env/safe.go
@@ -38,6 +38,75 @@ func SafeSecretBufferSize() int {
  return l
 }
 
+// SafeK8sSecretBufferSize returns the buffer size for the Aegis Safe Kubernetes
+// secret queue.
+//
+// The buffer size is determined by the environment variable
+// AEGIS_SAFE_K8S_SECRET_BUFFER_SIZE.
+//
+// If the environment variable is not set, the default buffer size is 10.
+// If the environment variable is set and can be parsed as an integer,
+// it will be used as the buffer size.
+// If the environment variable is set but cannot be parsed as an integer,
+// the default buffer size is used.
+func SafeK8sSecretBufferSize() int {
+ p := os.Getenv("AEGIS_SAFE_K8S_SECRET_BUFFER_SIZE")
+ if p == "" {
+ return 10
+ }
+ l, err := strconv.Atoi(p)
+ if err != nil {
+ return 10
+ }
+ return l
+}
+
+// SafeSecretDeleteBufferSize returns the buffer size for the Aegis Safe secret
+// deletion queue.
+//
+// The buffer size is determined by the environment variable
+// AEGIS_SAFE_SECRET_DELETE_BUFFER_SIZE.
+//
+// If the environment variable is not set, the default buffer size is 10.
+// If the environment variable is set and can be parsed as an integer,
+// it will be used as the buffer size.
+// If the environment variable is set but cannot be parsed as an integer,
+// the default buffer size is used.
+func SafeSecretDeleteBufferSize() int {
+ p := os.Getenv("AEGIS_SAFE_SECRET_DELETE_BUFFER_SIZE")
+ if p == "" {
+ return 10
+ }
+ l, err := strconv.Atoi(p)
+ if err != nil {
+ return 10
+ }
+ return l
+}
+
+// SafeK8sSecretDeleteBufferSize returns the buffer size for the Aegis Safe
+// Kubernetes secret deletion queue.
+//
+// The buffer size is determined by the environment variable
+// AEGIS_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE.
+//
+// If the environment variable is not set, the default buffer size is 10.
+// If the environment variable is set and can be parsed as an integer,
+// it will be used as the buffer size.
+// If the environment variable is set but cannot be parsed as an integer,
+// the default buffer size is used.
+func SafeK8sSecretDeleteBufferSize() int {
+ p := os.Getenv("AEGIS_SAFE_K8S_SECRET_DELETE_BUFFER_SIZE")
+ if p == "" {
+ return 10
+ }
+ l, err := strconv.Atoi(p)
+ if err != nil {
+ return 10
+ }
+ return l
+}
+
 // SafeBackingStore returns the storage type for the data,
 // as specified in the AEGIS_SAFE_BACKING_STORE environment variable.
 // If the environment variable is not set, it defaults to "file".
@@ -123,13 +192,13 @@ func SafeAgeKeyPath() string {
  return p
 }
 
-// SafeSvidRetrievalTimeout returns the allowed time for Aegis Safe to wait
+// SafeBootstrapTimeout returns the allowed time for Aegis Safe to wait
 // before killing the pod to retrieve an SVID, in time.Duration.
-// The interval is determined by the AEGIS_SAFE_SVID_RETRIEVAL_TIMEOUT environment
+// The interval is determined by the AEGIS_SAFE_BOOTSTRAP_TIMEOUT environment
 // variable, with a default value of 30000 milliseconds if the variable is not
 // set or if there is an error in parsing the value.
-func SafeSvidRetrievalTimeout() time.Duration {
- p := os.Getenv("AEGIS_SAFE_SVID_RETRIEVAL_TIMEOUT")
+func SafeBootstrapTimeout() time.Duration {
+ p := os.Getenv("AEGIS_SAFE_BOOTSTRAP_TIMEOUT")
  if p == "" {
  p = "30000"
  }

diff --git a/core/log/log.go b/core/log/log.go
@@ -31,7 +31,7 @@ const (
 )
 
 var currentLevel = Level(env.LogLevel())
-var mux sync.Mutex
+var mux sync.RWMutex
 
 // SetLevel sets the global log level to the provided level.
 //
@@ -48,8 +48,8 @@ func SetLevel(l Level) {
 
 // GetLevel returns the current global log level.
 func GetLevel() Level {
- mux.Lock()
- defer mux.Unlock()
+ mux.RLock()
+ defer mux.RUnlock()
  return currentLevel
 }
 

diff --git a/dockerfiles/aegis-ist/init-container.Dockerfile b/dockerfiles/aegis-ist/init-container.Dockerfile
@@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o aegis-init-container \
 FROM gcr.io/distroless/static-debian11
 
 LABEL "maintainers"="Volkan Özçelik <[email protected]>"
-LABEL "version"="0.17.0"
+LABEL "version"="0.17.1"
 LABEL "website"="https://aegis.ist/"
 LABEL "repo"="https://github.com/shieldworks/aegis"
 LABEL "documentation"="https://aegis.ist/docs/"

diff --git a/dockerfiles/aegis-ist/safe.Dockerfile b/dockerfiles/aegis-ist/safe.Dockerfile
@@ -21,7 +21,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o aegis-safe ./app/safe/cm
 FROM gcr.io/distroless/static-debian11
 
 LABEL "maintainers"="Volkan Özçelik <[email protected]>"
-LABEL "version"="0.17.0"
+LABEL "version"="0.17.1"
 LABEL "website"="https://aegis.ist/"
 LABEL "repo"="https://github.com/shieldworks/aegis-safe"
 LABEL "documentation"="https://aegis.ist/docs/"

diff --git a/dockerfiles/aegis-ist/sentinel.Dockerfile b/dockerfiles/aegis-ist/sentinel.Dockerfile
@@ -21,7 +21,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth ./app/sentinel/bus
 FROM gcr.io/distroless/static-debian11
 
 LABEL "maintainers"="Volkan Özçelik <[email protected]>"
-LABEL "version"="0.17.0"
+LABEL "version"="0.17.1"
 LABEL "website"="https://aegis.ist/"
 LABEL "repo"="https://github.com/shieldworks/aegis-sentinel"
 LABEL "documentation"="https://aegis.ist/docs/"

diff --git a/dockerfiles/aegis-ist/sidecar.Dockerfile b/dockerfiles/aegis-ist/sidecar.Dockerfile
@@ -21,7 +21,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o aegis-sidecar ./app/side
 FROM gcr.io/distroless/static-debian11
 
 LABEL "maintainers"="Volkan Özçelik <[email protected]>"
-LABEL "version"="0.17.0"
+LABEL "version"="0.17.1"
 LABEL "website"="https://aegis.ist/"
 LABEL "repo"="https://github.com/shieldworks/aegis"
 LABEL "documentation"="https://aegis.ist/docs/"