Dont crash sidecar on failure and Prometheus metrics (#19)

* Changing behavior of sidecar mode. - Sidecar mode failures no longer terminate vct. - VCT running in sidecar mode now runs prometheus metrics endpoint. - Various cleanup and refactoring. * Improve changelog file * Fix debug logging for logging timeout duration in seconds. * Initial sidecar sync failure should emit sync error metrics. * - group imports - prometheus port defaults to 9191 now * - cleanup
hootsuite · Nov 23, 2021 · 84ceebb · 84ceebb
1 parent c4cbf81
commit 84ceebb
Show file tree

Hide file tree

Showing 16 changed files with 338 additions and 102 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,11 @@
+v1.3.0: 22-Nov-2021
+ * Errors during sync loop while running sidecar mode will no longer terminate vault-ctrl-tool.
+ * Sidecar mode now can run a Prometheus metrics endpoint which emits metrics about sidecar syncs.
+   Prometheus can be toggled with "--enable-prometheus-metrics" and have its port overridden by "--prometheus-port".
+ * Added better documentation and some refactoring and cleanup of internal libraries. 
+ * Vault client HTTP timeout and maxRetries are now configurable using "--vault-client-timeout" and "--vault-client-retries" flags.
+   Note: These now default to 30s and 2, respectively. Compared to previous version of vault-ctrl-tool which where 60s, 2.
+
 v1.2.0: 26-May-2021
  * Added --force-refresh-ttl which temporary credentials will optionally be renewed before their actual expiry.
  * Added --sts-ttl flag which lets you specify token ttl for aws tokens

diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 CURRENTOS := $(shell go env GOOS)
 CURRENTARCH := $(shell go env GOARCH)
 COMMIT := $(shell git rev-parse --short HEAD)
-VERSION := v1.2.0
+VERSION := v1.3.0
 LDFLAGS="-X main.buildVersion=$(VERSION) -X main.commitVersion=$(COMMIT)"
 
 .DEFAULT_GOAL := build
@@ -19,6 +19,7 @@ test: mocks ## Run unit tests
 
 darwin-binary: mocks ## Build a macOS binary
 	GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags $(LDFLAGS) -o bin/vault-ctrl-tool.darwin.amd64 .
+	GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags $(LDFLAGS) -o bin/vault-ctrl-tool.darwin.arm64 .
 
 linux-binary: mocks ## Build a Linux (amd64) binary
 	GOOS=linux GOARCH=amd64 go build -trimpath -ldflags $(LDFLAGS) -o bin/vault-ctrl-tool.linux.amd64 .

diff --git a/briefcase/briefcase.go b/briefcase/briefcase.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"time"
 
@@ -111,13 +112,13 @@ func LoadBriefcase(filename string, mtrics *metrics.Metrics) (*Briefcase, error)
 	zlog.Info().Str("filename", filename).Msg("reading briefcase")
 	bytes, err := ioutil.ReadFile(filename)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("could not read briefcase data: %w", err)
 	}
 
 	bc := NewBriefcase(mtrics)
 	err = json.Unmarshal(bytes, bc)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("could not parse briefcase data: %w", err)
 	}
 
 	return bc, nil

diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -3,17 +3,18 @@ package e2e
 import (
 	"context"
 	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+	"time"
+
 	"github.com/golang/mock/gomock"
 	"github.com/hashicorp/vault/api"
 	mtrics "github.com/hootsuite/vault-ctrl-tool/v2/metrics"
 	"github.com/hootsuite/vault-ctrl-tool/v2/util/clock"
 	"github.com/stretchr/testify/assert"
-	"io/ioutil"
 	testing2 "k8s.io/utils/clock/testing"
-	"os"
-	"path"
-	"testing"
-	"time"
 )
 
 // TestSyncWithPinnedVersion ensures that when requesting a specific version of a secret in a config file cascades
@@ -53,8 +54,10 @@ secrets:
 
 	fakeClock := testing2.NewFakeClock(time.Now())
 	ctx := clock.Set(context.Background(), fakeClock)
-	err := fixture.syncer.PerformSync(ctx, fakeClock.Now().AddDate(1, 0, 0), *fixture.cliFlags)
 
+	vtoken, err := fixture.syncer.GetVaultToken(ctx, *fixture.cliFlags)
+	assert.NoError(t, err)
+	err = fixture.syncer.PerformSync(ctx, vtoken, fakeClock.Now().AddDate(1, 0, 0), *fixture.cliFlags)
 	assert.NoError(t, err)
 	assert.FileExists(t, path.Join(fixture.workDir, "example-output"))
 	assert.Equal(t, 1, fixture.metrics.Counter(mtrics.SecretUpdates))
@@ -97,7 +100,10 @@ secrets:
 
 	fakeClock := testing2.NewFakeClock(time.Now())
 	ctx := clock.Set(context.Background(), fakeClock)
-	err := fixture1.syncer.PerformSync(ctx, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
+
+	vtoken, err := fixture1.syncer.GetVaultToken(ctx, *fixture1.cliFlags)
+	assert.NoError(t, err)
+	err = fixture1.syncer.PerformSync(ctx, vtoken, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
 
 	assert.NoError(t, err)
 	assert.FileExists(t, path.Join(fixture1.workDir, "foo"))
@@ -124,7 +130,9 @@ secrets:
 			return response, nil
 		}).Times(1)
 
-	err = fixture2.syncer.PerformSync(ctx, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
+	vtoken, err = fixture2.syncer.GetVaultToken(ctx, *fixture2.cliFlags)
+	assert.NoError(t, err)
+	err = fixture2.syncer.PerformSync(ctx, vtoken, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
 
 	assert.NoError(t, err)
 	assert.FileExists(t, path.Join(fixture2.workDir, "foo"))
@@ -178,7 +186,9 @@ secrets:
 	fakeClock := testing2.NewFakeClock(time.Date(2019, 10, 2, 22, 52, 20, 0, time.UTC))
 
 	ctx := clock.Set(context.Background(), fakeClock)
-	err := fixture1.syncer.PerformSync(ctx, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
+	vtoken, err := fixture1.syncer.GetVaultToken(ctx, *fixture1.cliFlags)
+	assert.NoError(t, err)
+	err = fixture1.syncer.PerformSync(ctx, vtoken, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
 
 	assert.NoError(t, err)
 	assert.FileExists(t, path.Join(fixture1.workDir, "foo"))
@@ -209,7 +219,9 @@ secrets:
 			return response, nil
 		}).Times(1)
 
-	err = fixture2.syncer.PerformSync(ctx, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
+	vtoken, err = fixture2.syncer.GetVaultToken(ctx, *fixture2.cliFlags)
+	assert.NoError(t, err)
+	err = fixture2.syncer.PerformSync(ctx, vtoken, fakeClock.Now().AddDate(1, 0, 0), *fixture1.cliFlags)
 
 	assert.NoError(t, err)
 
@@ -247,7 +259,9 @@ version: 3
 
 	fakeClock := testing2.NewFakeClock(time.Now())
 	ctx := clock.Set(context.Background(), fakeClock)
-	err := fixture.syncer.PerformSync(ctx, fakeClock.Now().AddDate(1, 0, 0), *fixture.cliFlags)
+	vtoken, err := fixture.syncer.GetVaultToken(ctx, *fixture.cliFlags)
+	assert.NoError(t, err)
+	err = fixture.syncer.PerformSync(ctx, vtoken, fakeClock.Now().AddDate(1, 0, 0), *fixture.cliFlags)
 
 	assert.NoError(t, err)
 	assert.Equal(t, 1, fixture.metrics.Counter(mtrics.BriefcaseReset))
@@ -295,7 +309,9 @@ secrets:
 
 	fakeClock := testing2.NewFakeClock(time.Now())
 	ctx := clock.Set(context.Background(), fakeClock)
-	err := fixture.syncer.PerformSync(ctx, fakeClock.Now().AddDate(1, 0, 0), *fixture.cliFlags)
+	vtoken, err := fixture.syncer.GetVaultToken(ctx, *fixture.cliFlags)
+	assert.NoError(t, err)
+	err = fixture.syncer.PerformSync(ctx, vtoken, fakeClock.Now().AddDate(1, 0, 0), *fixture.cliFlags)
 
 	assert.NoError(t, err)
 

diff --git a/go.mod b/go.mod
@@ -3,11 +3,10 @@ module github.com/hootsuite/vault-ctrl-tool/v2
 go 1.15
 
 require (
-	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
-	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect
 	github.com/aws/aws-sdk-go v1.35.25
 	github.com/golang/mock v1.5.0
 	github.com/hashicorp/vault/api v1.0.4
+	github.com/prometheus/client_golang v1.11.0
 	github.com/rs/zerolog v1.20.0
 	github.com/stretchr/testify v1.6.1
 	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0