Ability to Use Postgres as a Backing Store for VSecM Safe (#1165)

Maintains feature parity with the former version. Unit and integration tests pass. I'm merging this. Will do follow-up PRs to address `TODO:` comments in the code, and also clean-up the code. --- * wip * add polling to main to test config setting for safe itself * temporarily disable relay client * testing persistence to postgres * SQL statement change * lastworking * add entity.go * mostly-working version * fixed store response * add guard clauses * more debugging * exception for initial persistence to db * changes
vmware-tanzu · Oct 12, 2024 · 4d050c9 · 4d050c9
1 parent d85c1fb
commit 4d050c9
Show file tree

Hide file tree

Showing 21 changed files with 365 additions and 22 deletions.
diff --git a/app/safe/cmd/entity.go b/app/safe/cmd/entity.go
@@ -0,0 +1,47 @@
+/*
+| Protect your secrets, protect your sensitive data.
+: Explore VMware Secrets Manager docs at https://vsecm.com/
+</
+<>/ keep your secrets... secret
+>/
+<>/' Copyright 2023-present VMware Secrets Manager contributors.
+>/' SPDX-License-Identifier: BSD-2-Clause
+*/
+
+package main
+
+// TODO: obviously there is a need for cleanup; once things start to work
+// as expected, move the codes to where they should belong.
+
+// TODO: move me to a proper place.
+
+// TODO: by design, VSecM Safe will not use more than one backing store
+// (create an ADR for that).
+// This means, there is a chicken-and-the-egg problem for persisting the
+// internal VSecM Safe configuration.
+//
+// For postgres backing store, VSecM Safe should keep its initial config
+// in memory until the database is there; and then it should save it to
+// the database, too.
+
+// TODO: we should check for the existence of the table in postgres and
+// log an error if it's not there.
+
+// TODO: when postgres mode vsecm safe shall be read-only (except for config update)
+// until it is initialized. once initialized, it should save its config to postgres too
+// and then it should be readwrite.
+
+// TODO: we need documentation for this postgres store feature. (and also a demo recording)
+
+// TODO: it's best block requests when the db is not ready yet (in postgres mode)
+// because otherwise, the initCommand will retry in exponential backoff and
+// eventually give up.
+// or the keystone secret will not be persisted although keystone will
+// be informed that safe is ready.
+
+type SafeConfig struct {
+ Config struct {
+ BackingStore string `json:"backingStore"`
+ DataSourceName string `json:"dataSourceName"`
+ } `json:"config"`
+}
diff --git a/app/safe/cmd/main.go b/app/safe/cmd/main.go
@@ -12,18 +12,48 @@ package main
 
 import (
  "context"
+ "encoding/json"
+ "time"
 
  "github.com/spiffe/go-spiffe/v2/workloadapi"
 
  "github.com/vmware-tanzu/secrets-manager/app/safe/internal/bootstrap"
  server "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/engine"
+ "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
+ "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
  "github.com/vmware-tanzu/secrets-manager/core/constants/env"
  "github.com/vmware-tanzu/secrets-manager/core/constants/key"
  "github.com/vmware-tanzu/secrets-manager/core/crypto"
+ entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
+ cEnv "github.com/vmware-tanzu/secrets-manager/core/env"
  log "github.com/vmware-tanzu/secrets-manager/core/log/std"
  "github.com/vmware-tanzu/secrets-manager/core/probe"
 )
 
+func pollForConfig(ctx context.Context, id string) (*SafeConfig, error) {
+ for {
+ log.InfoLn(&id, "Polling for VSecM Safe internal configuration")
+ select {
+ case <-ctx.Done():
+ return nil, ctx.Err()
+ default:
+ vSecMSafeInternalConfig, err := collection.ReadSecret(id, "vsecm-safe")
+ if err != nil {
+ log.InfoLn(&id, "Failed to load VSecM Safe internal configuration", err.Error())
+ } else if vSecMSafeInternalConfig != nil && len(vSecMSafeInternalConfig.Values) > 0 {
+ var safeConfig SafeConfig
+ err := json.Unmarshal([]byte(vSecMSafeInternalConfig.Values[0]), &safeConfig)
+ if err != nil {
+ log.InfoLn(&id, "Failed to parse VSecM Safe internal configuration", err.Error())
+ } else {
+ return &safeConfig, nil
+ }
+ }
+ time.Sleep(5 * time.Second)
+ }
+ }
+}
+
 func main() {
  id := crypto.Id()
 
@@ -38,6 +68,28 @@ func main() {
  )
  defer cancel()
 
+ if cEnv.BackingStoreForSafe() == entity.Postgres {
+ go func() {
+ log.InfoLn(&id, "Backing store is postgres.")
+ log.InfoLn(&id, "VSecM Safe will remain read-only until the internal configuration is loaded.")
+
+ safeConfig, err := pollForConfig(ctx, id)
+ if err != nil {
+ log.FatalLn(&id, "Failed to retrieve VSecM Safe internal configuration", err.Error())
+ }
+
+ log.InfoLn(&id, "VSecM Safe internal configuration loaded. Initializing database.")
+
+ err = io.InitDB(safeConfig.Config.DataSourceName)
+ if err != nil {
+ log.FatalLn(&id, "Failed to initialize database:", err)
+ return
+ }
+
+ log.InfoLn(&id, "Database connection initialized.")
+ }()
+ }
+
  log.InfoLn(&id, "Acquiring identity...")
 
  // Channel to notify when the bootstrap timeout has been reached.

diff --git a/app/safe/internal/server/route/base/extract/extract.go b/app/safe/internal/server/route/base/extract/extract.go
@@ -19,7 +19,7 @@ import (
  log "github.com/vmware-tanzu/secrets-manager/core/log/std"
 )
 
-// WorkloadIDAndParts extracts the workload identifier and its constituent parts
+// WorkloadIdAndParts extracts the workload identifier and its constituent parts
 // from a SPIFFE ID string, based on a predefined prefix that is removed from
 // the SPIFFE ID.
 //
@@ -32,7 +32,7 @@ import (
 // which is essentially the first part of the SPIFFE ID after removing the
 // prefix. The second return value is a slice of strings representing all
 // parts of the SPIFFE ID after the prefix removal.
-func WorkloadIDAndParts(spiffeid string) (string, []string) {
+func WorkloadIdAndParts(spiffeid string) (string, []string) {
  re := env.NameRegExpForWorkload()
  if re == "" {
  return "", nil

diff --git a/app/safe/internal/server/route/fetch/fetch.go b/app/safe/internal/server/route/fetch/fetch.go
@@ -88,7 +88,7 @@ func Fetch(
 
  log.DebugLn(&cid, "Fetch: preparing request")
 
- workloadId, parts := extract.WorkloadIDAndParts(spiffeid)
+ workloadId, parts := extract.WorkloadIdAndParts(spiffeid)
  if len(parts) == 0 {
  handle.BadPeerSvidResponse(cid, w, spiffeid, j)
  return

diff --git a/app/safe/internal/state/io/disk.go b/app/safe/internal/state/io/disk.go
@@ -34,6 +34,10 @@ import (
 // channel allows the function to operate asynchronously, notifying the
 // caller of any issues in the process of persisting the secret.
 func PersistToDisk(secret entity.SecretStored, errChan chan<- error) {
+ if env.BackingStoreForSafe() != entity.File {
+ panic("Attempted to save to disk when backing store is not file")
+ }
+
  backupCount := env.SecretBackupCountForSafe()
 
  // Save the secret

diff --git a/app/safe/internal/state/io/postgres.go b/app/safe/internal/state/io/postgres.go
@@ -0,0 +1,90 @@
+package io
+
+import (
+ "database/sql"
+ "encoding/base64"
+ "encoding/json"
+ "errors"
+
+ _ "github.com/lib/pq"
+
+ "github.com/vmware-tanzu/secrets-manager/core/crypto"
+ entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
+ "github.com/vmware-tanzu/secrets-manager/core/env"
+ log "github.com/vmware-tanzu/secrets-manager/core/log/std"
+ "github.com/vmware-tanzu/secrets-manager/lib/backoff"
+)
+
+var db *sql.DB
+
+// InitDB initializes the database connection
+func InitDB(dataSourceName string) error {
+ var err error
+ db, err = sql.Open("postgres", dataSourceName)
+ if err != nil {
+ return err
+ }
+ return db.Ping()
+}
+
+// PersistToPostgres saves a given secret to the Postgres database
+func PersistToPostgres(secret entity.SecretStored, errChan chan<- error) {
+ cid := secret.Meta.CorrelationId
+
+ log.TraceLn(&cid, "PersistToPostgres: Persisting secret to database")
+
+ // Serialize the secret to JSON
+ jsonData, err := json.Marshal(secret)
+ if err != nil {
+ errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to marshal secret"))
+ log.ErrorLn(&cid, "PersistToPostgres: Error marshaling secret:", err.Error())
+ return
+ }
+
+ // Encrypt the JSON data
+ var encryptedData string
+ fipsMode := env.FipsCompliantModeForSafe()
+
+ if fipsMode {
+ encryptedBytes, err := crypto.EncryptBytesAes(jsonData)
+ if err != nil {
+ errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to encrypt secret with AES"))
+ log.ErrorLn(&cid, "PersistToPostgres: Error encrypting secret with AES:", err.Error())
+ return
+ }
+ encryptedData = base64.StdEncoding.EncodeToString(encryptedBytes)
+ } else {
+ encryptedBytes, err := crypto.EncryptBytesAge(jsonData)
+ if err != nil {
+ errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to encrypt secret with Age"))
+ log.ErrorLn(&cid, "PersistToPostgres: Error encrypting secret with Age:", err.Error())
+ return
+ }
+ encryptedData = base64.StdEncoding.EncodeToString(encryptedBytes)
+ }
+
+ err = backoff.RetryExponential("PersistToPostgres", func() error {
+ if db == nil {
+ if secret.Name == "vsecm-safe" {
+ // TODO: implement me.
+ log.InfoLn(&cid, "PersistToPostgres: vsecm-safe secret will be persisted after db connection is initialized")
+ return nil
+ }
+ return errors.New("PersistToPostgres: Database connection is nil")
+ }
+
+ // TODO: get table name from env var.
+ _, err := db.Exec(
+ `INSERT INTO "vsecm-secrets" (name, data) VALUES ($1, $2) ON CONFLICT (name) DO UPDATE SET data = $2`,
+ secret.Name, encryptedData)
+ return err
+ })
+
+ if err != nil {
+ errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to persist secret to database"))
+ log.ErrorLn(&cid, "PersistToPostgres: Error persisting secret to database:", err.Error())
+ return
+ }
+
+ log.TraceLn(&cid, "PersistToPostgres: Secret persisted to database successfully")
+}
diff --git a/app/safe/internal/state/io/read.go b/app/safe/internal/state/io/read.go
@@ -13,6 +13,7 @@ package io
 import (
  "encoding/json"
  "errors"
+ "github.com/vmware-tanzu/secrets-manager/core/env"
 
  "github.com/vmware-tanzu/secrets-manager/core/crypto"
  entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
@@ -36,6 +37,10 @@ import (
 // returned. The error provides context about the nature of the failure,
 // such as issues with decryption or data deserialization.
 func ReadFromDisk(key string) (*entity.SecretStored, error) {
+ if env.BackingStoreForSafe() != entity.File {
+ panic("Attempted to read from disk when backing store is not file")
+ }
+
  contents, err := crypto.DecryptDataFromDisk(key)
  if err != nil {
  return nil, errors.Join(

diff --git a/app/safe/internal/state/secret/collection/populate.go b/app/safe/internal/state/secret/collection/populate.go
@@ -72,6 +72,9 @@ func PopulateSecrets(cid string) error {
  if err != nil {
  log.ErrorLn(&cid, "populateSecrets:error", err.Error())
  }
+ case data.Postgres:
+ // TODO: implement me.
+ log.WarnLn(&cid, "populateSecrets: postgres initial secrets population is not implemented yet.")
  case data.Kubernetes:
  panic("implement kubernetes store")
  case data.AwsSecretStore:

diff --git a/app/safe/internal/state/secret/collection/read.go b/app/safe/internal/state/secret/collection/read.go
@@ -15,6 +15,7 @@ import (
  "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/stats"
  "github.com/vmware-tanzu/secrets-manager/core/crypto"
  entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
+ "github.com/vmware-tanzu/secrets-manager/core/env"
  log "github.com/vmware-tanzu/secrets-manager/core/log/std"
  data "github.com/vmware-tanzu/secrets-manager/lib/entity"
 )
@@ -199,6 +200,16 @@ func ReadSecret(cid string, key string) (*entity.SecretStored, error) {
  return &s, nil
  }
 
+ store := env.BackingStoreForSafe()
+
+ switch store {
+ case entity.File:
+ log.TraceLn(&cid, "will read from file store.")
+ case entity.Postgres:
+ log.WarnLn(&cid, "TODO: fetch from postgres store")
+ return nil, nil
+ }
+
  stored, err := io.ReadFromDisk(key)
 
  if err != nil {

diff --git a/app/safe/internal/state/secret/queue/deletion/disk.go b/app/safe/internal/state/secret/queue/deletion/disk.go
@@ -69,7 +69,7 @@ func ProcessSecretBackingStoreQueue() {
  log.TraceLn(&cid, "ProcessSecretQueue: using in-memory store.")
  return
  case entity.File:
- log.TraceLn(&cid, "ProcessSecretQueue: Will persist to disk.")
+ log.TraceLn(&cid, "ProcessSecretQueue: Will delete secret from disk.")
  case entity.Kubernetes:
  panic("implement kubernetes store")
  case entity.AwsSecretStore:
@@ -78,6 +78,9 @@ func ProcessSecretBackingStoreQueue() {
  panic("implement azure secret store")
  case entity.GcpSecretStore:
  panic("implement gcp secret store")
+ case entity.Postgres:
+ log.WarnLn(&cid, "Delete operation has not been implemented for postgres backing store yet.")
+ return
  }
 
  if secret.Name == "" {

diff --git a/app/safe/internal/state/secret/queue/insertion/disk.go b/app/safe/internal/state/secret/queue/insertion/disk.go
@@ -73,8 +73,12 @@ func ProcessSecretBackingStoreQueue() {
  panic("implement azure secret store")
  case entity.GcpSecretStore:
  panic("implement gcp secret store")
+ case entity.Postgres:
+ log.TraceLn(&cid, "ProcessSecretQueue: Will persist to Postgres.")
  }
 
+ // TODO: will definitely need cleanup.
+
  // Get a secret to be persisted to the disk.
  secret := <-SecretUpsertQueue
 
@@ -93,7 +97,14 @@ func ProcessSecretBackingStoreQueue() {
  //
  // Do not call this function elsewhere.
  // It is meant to be called inside this `processSecretQueue` goroutine.
- io.PersistToDisk(secret, errChan)
+ if store == entity.Postgres {
+
+ // TODO: for debugging; delete values before merging.
+ log.TraceLn(&cid, "Persisting to Postgres.", secret.Name)
+ io.PersistToPostgres(secret, errChan)
+ } else {
+ io.PersistToDisk(secret, errChan)
+ }
 
  log.TraceLn(&cid,
  "processSecretQueue: should have persisted the secret.")

diff --git a/core/constants/env/env.go b/core/constants/env/env.go
@@ -37,6 +37,7 @@ const VSecMRootKeyInputModeManual VarName = "VSECM_ROOT_KEY_INPUT_MODE_MANUAL"
 const VSecMRootKeyName VarName = "VSECM_ROOT_KEY_NAME"
 const VSecMRootKeyPath VarName = "VSECM_ROOT_KEY_PATH"
 const VSecMSafeBackingStore VarName = "VSECM_SAFE_BACKING_STORE"
+const VSecMSafePostgresDataSourceName VarName = "VSECM_SAFE_POSTGRES_DATASOURCE_NAME"
 const VSecMSafeBootstrapTimeout VarName = "VSECM_SAFE_BOOTSTRAP_TIMEOUT"
 const VSecMSafeDataPath VarName = "VSECM_SAFE_DATA_PATH"
 const VSecMSafeEndpointUrl VarName = "VSECM_SAFE_ENDPOINT_URL"
@@ -125,6 +126,7 @@ const VSecMSpiffeIdPrefixSafeDefault VarValue = "^spiffe://vsecm.com/workload/vs
 const VSecMSpiffeIdPrefixSentinelDefault VarValue = "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$"
 const VSecMSpiffeIdPrefixWorkloadDefault VarValue = "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$"
 const VSecMNameRegExpForWorkloadDefault VarValue = "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$"
+const VSecMSafePostgresDataSourceNameDefault VarValue = "user=postgres dbname=postgres sslmode=disable"
 
 const VSecMRelayServerUrlDefault VarValue = "https://vsecm-relay.vsecm-system.svc.cluster.local:443/"