feat: dynamic vault OIDC callback port and in-process token capture #910
+325
−149
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,27 @@ | ||
| package utils | ||
|
|
||
| import ( | ||
| "bytes" | ||
| "context" | ||
| "encoding/json" | ||
| "fmt" | ||
| "os" | ||
| "os/exec" | ||
| "strings" | ||
| "time" | ||
|
|
||
| ocmutils "github.com/openshift/ocm-container/pkg/utils" | ||
|
|
||
| log "github.com/sirupsen/logrus" | ||
| "github.com/spf13/viper" | ||
| ) | ||
|
|
||
| const ( | ||
| vaultCallbackPortFile = "/tmp/vault_callback_port" | ||
| defaultVaultOIDCPort = "8250" | ||
| vaultLoginTimeout = 5 * time.Minute | ||
| ) | ||
|
|
||
| const ( | ||
| VaultAddrKey string = "vault_address" | ||
| ) | ||
|
|
@@ -41,17 +51,39 @@ func GetVaultRef(vaultPathKey string) (VaultRef, error) { | |
| return VaultRef{Addr: vaultAddr, Path: vaultPath}, nil | ||
| } | ||
|
|
||
| // readFileFunc is the function used to read files. Replaced in tests | ||
| // to avoid filesystem access. | ||
| var readFileFunc = os.ReadFile | ||
|
|
||
| // readCallbackPort reads the dynamically-assigned host port from the | ||
| // portmap file written by ocm-container's ports feature. | ||
| func readCallbackPort() string { | ||
| data, err := readFileFunc(vaultCallbackPortFile) | ||
| if err != nil { | ||
| log.Debugf("could not read vault callback port file: %v", err) | ||
| return "" | ||
| } | ||
| port := strings.TrimSpace(string(data)) | ||
| if port == "" { | ||
| log.Debugf("vault callback port file is empty") | ||
| return "" | ||
| } | ||
| log.Debugf("read vault callback port: %s", port) | ||
| return port | ||
| } | ||
|
|
||
| // setupVaultToken ensures a valid Vault token exists by checking the current | ||
| // token and requesting a new one via OIDC if needed. In container environments, | ||
| // it uses the dynamically-assigned callback port from ocm-container's ports | ||
| // feature and falls back to in-process token capture if the token file is | ||
| // not writable. | ||
| func setupVaultToken(vaultAddr string) error { | ||
| err := os.Setenv("VAULT_ADDR", vaultAddr) | ||
| if err != nil { | ||
| return fmt.Errorf("error setting environment variable: %v", err) | ||
| } | ||
|
|
||
| versionCheckCmd := exec.Command("vault", "version") | ||
| versionCheckCmd.Stdout = os.Stderr | ||
| versionCheckCmd.Stderr = os.Stderr | ||
|
|
||
|
|
@@ -62,51 +94,139 @@ func setupVaultToken(vaultAddr string) error { | |
| tokenCheckCmd := exec.Command("vault", "token", "lookup") | ||
| tokenCheckCmd.Stdout = nil | ||
| tokenCheckCmd.Stderr = nil | ||
| if err = tokenCheckCmd.Run(); err != nil { | ||
| log.Infoln("Vault token no longer valid, requesting new token") | ||
|
|
||
| if ocmutils.IsRunningInOcmContainer() { | ||
| return setupVaultTokenContainer() | ||
| } | ||
|
|
||
| return setupVaultTokenLocal() | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| // setupVaultTokenLocal handles vault OIDC login outside of a container. | ||
| func setupVaultTokenLocal() error { | ||
| ctx, cancel := context.WithTimeout(context.Background(), vaultLoginTimeout) | ||
| defer cancel() | ||
|
|
||
| loginCmd := exec.CommandContext(ctx, "vault", "login", "-method=oidc", "-no-print") | ||
| loginCmd.Stdout = nil | ||
| loginCmd.Stderr = nil | ||
|
|
||
| if err := loginCmd.Run(); err != nil { | ||
| if ctx.Err() == context.DeadlineExceeded { | ||
| return fmt.Errorf("vault login timed out after %s", vaultLoginTimeout) | ||
| } | ||
| return fmt.Errorf("error running 'vault login': %v", err) | ||
| } | ||
|
|
||
| log.Infoln("Acquired vault token") | ||
| return nil | ||
| } | ||
|
|
||
| // buildOIDCArgs builds the vault login args for container mode, | ||
| // including the dynamic callback port if available. | ||
| func buildOIDCArgs(noStore bool, callbackPort string) []string { | ||
| args := []string{"login", "-method=oidc"} | ||
| if noStore { | ||
| args = append(args, "-no-store", "-field=token") | ||
| } | ||
| args = append(args, "skip_browser=true", "listenaddress=0.0.0.0") | ||
|
|
||
| if callbackPort != "" { | ||
| args = append(args, | ||
| fmt.Sprintf("port=%s", defaultVaultOIDCPort), | ||
| fmt.Sprintf("callbackport=%s", callbackPort), | ||
| ) | ||
| log.Infof("Using dynamic vault OIDC callback port: %s", callbackPort) | ||
| } else { | ||
| log.Infoln("No dynamic callback port found, using default port 8250.") | ||
| log.Infoln("If running multiple containers, ensure ocm-container has the ports feature enabled.") | ||
| } | ||
|
|
||
| return args | ||
| } | ||
|
|
||
| // isTokenFileError checks whether a vault login error is related to | ||
| // writing the token file (e.g., bind mount rename failures). | ||
| func isTokenFileError(err error) bool { | ||
| msg := err.Error() | ||
| return strings.Contains(msg, "rename") || | ||
| strings.Contains(msg, "device or resource busy") || | ||
| strings.Contains(msg, "read-only file system") || | ||
| strings.Contains(msg, "permission denied") | ||
| } | ||
|
|
||
| // setupVaultTokenContainer handles vault OIDC login inside an ocm-container. | ||
| // It first tries a normal vault login that writes ~/.vault-token. If that | ||
| // fails due to a token file write error (e.g., read-only bind mount), it | ||
| // falls back to capturing the token in-process via VAULT_TOKEN. | ||
| func setupVaultTokenContainer() error { | ||
| callbackPort := readCallbackPort() | ||
|
|
||
| ctx, cancel := context.WithTimeout(context.Background(), vaultLoginTimeout) | ||
| defer cancel() | ||
|
|
||
| log.Infoln("Complete the login via the URL printed below.") | ||
|
|
||
| // First attempt: normal login that writes ~/.vault-token | ||
| loginArgs := buildOIDCArgs(false, callbackPort) | ||
| loginCmd := exec.CommandContext(ctx, "vault", loginArgs...) | ||
| loginCmd.Stdout = os.Stderr | ||
| loginCmd.Stderr = os.Stderr | ||
|
|
||
| if err := loginCmd.Run(); err == nil { | ||
| log.Infoln("Acquired vault token") | ||
| return nil | ||
| } else if ctx.Err() == context.DeadlineExceeded { | ||
| return fmt.Errorf("vault login timed out after %s", vaultLoginTimeout) | ||
| } else if !isTokenFileError(err) { | ||
| return fmt.Errorf("vault login failed: %v\n\n"+ | ||
| "If authentication timed out or the callback failed:\n"+ | ||
|
Member
There was a problem hiding this comment. Can you make this less ocm-container focused? Seems like it would be a general UX issue?
Member
Author
There was a problem hiding this comment. @dustman9000 Same as the other one: this is an ocm-container only problem & this code isn't reachable by normal |
||
| " 1. Ensure ocm-container has the vault port enabled in the ports feature\n"+ | ||
| " 2. Restart your ocm-container for the change to take effect\n"+ | ||
| " 3. Try the authentication again", err) | ||
| } | ||
|
|
||
| // Token file write failed (bind mount rename issue). Fall back to | ||
| // capturing the token in-process. | ||
| log.Infof("Token file write failed (%v), capturing token in-process instead.", ctx.Err()) | ||
| log.Infoln("Complete the login via the URL printed below.") | ||
|
|
||
| ctx2, cancel2 := context.WithTimeout(context.Background(), vaultLoginTimeout) | ||
| defer cancel2() | ||
|
|
||
| loginArgs = buildOIDCArgs(true, callbackPort) | ||
| loginCmd = exec.CommandContext(ctx2, "vault", loginArgs...) | ||
|
|
||
| var tokenBuf bytes.Buffer | ||
| loginCmd.Stdout = &tokenBuf | ||
| loginCmd.Stderr = os.Stderr | ||
|
|
||
| if err := loginCmd.Run(); err != nil { | ||
| if ctx2.Err() == context.DeadlineExceeded { | ||
| return fmt.Errorf("vault login timed out after %s", vaultLoginTimeout) | ||
| } | ||
| return fmt.Errorf("vault login failed: %v\n\n"+ | ||
| "If authentication timed out or the callback failed:\n"+ | ||
| " 1. Ensure ocm-container has the vault port enabled in the ports feature\n"+ | ||
|
Member
There was a problem hiding this comment. Same UX issue here, please make more generic.
Member
Author
There was a problem hiding this comment. @dustman9000 this is an ocm-container only problem, and this function is not reachable unless you are in ocm-container. Normal |
||
| " 2. Restart your ocm-container for the change to take effect\n"+ | ||
| " 3. Try the authentication again", err) | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
| } | ||
|
|
||
| token := strings.TrimSpace(tokenBuf.String()) | ||
| if token == "" { | ||
| return fmt.Errorf("vault login succeeded but returned empty token") | ||
| } | ||
|
|
||
| if err := os.Setenv("VAULT_TOKEN", token); err != nil { | ||
| return fmt.Errorf("error setting VAULT_TOKEN: %v", err) | ||
| } | ||
|
|
||
| log.Infoln("Acquired vault token (in-process)") | ||
| return nil | ||
| } | ||
|
|
||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.