settings_reader-vault_resolver 0.2.1 → 0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f126e949c2a936423dbca26aacba8a20a5ddc89b245c9ff0fbd514d0d41e9f05
-  data.tar.gz: c3a592e95462d32c511f945033ff4da1ff7956f9b9854c08fa91b65682d8fc20
+  metadata.gz: ce73ad9e3b10d933922778fa85c1f2fecc4f33dd0041a83c4b6b034229c7574f
+  data.tar.gz: eef4339b9136147de04ba2e85648fbf2328c3771fed427e600edf544683c1c98
 SHA512:
-  metadata.gz: 6117c34284578be43c1bb21d370d1c56298ffea393c2ce485d25e4b1fbb6f8a2ec8f1b9d9d86b472cff6ad6b6506949895babd8086c71e26193a7fbcca5f6b1e
-  data.tar.gz: b17550f51be60b61eb7efdb0034d262408ec5a231f6152cc3e356813a632b88b15f679e84a7bf3deb039dd0252742082b1917bc9f1a21206730a803048fb4027
+  metadata.gz: ddab1303046474d0da7916d9e64803d9c599f1ee80e2d50e2c96e4cc73ff17f5d4e0b45dd0db37447d3553596135883ca088868800c588f9ceffb7113457bfe4
+  data.tar.gz: 6f31f31fccc0281890df52503a9b8c353229fe7cc6f4233eb251e69ed245ea63acdc8bd4cd9e9e5cd1e0f6ef00c448ba30e0afb732105d2322a0ae338180438d

data/lib/settings_reader/vault_resolver/entry.rb

@@ -42,6 +42,10 @@ module SettingsReader
         secret.data[attribute.to_sym]
       end
 
+      def to_s
+        address.to_s
+      end
+
       private
 
       def lease_duration

data/lib/settings_reader/vault_resolver/instance.rb

@@ -4,6 +4,8 @@ module SettingsReader
   module VaultResolver
     # Resolver class for Settings Reader
     class Instance
+      include Logging
+
       IDENTIFIER = 'vault://'.freeze
       DATABASE_MOUNT = 'database'.freeze
 
@@ -15,6 +17,7 @@ module SettingsReader
 
       # Expect value in format `vault://mount/path/to/secret?attribute_name`
       def resolve(value, _path)
+        debug { "Resolving Vault secret at #{value}" }
         address = SettingsReader::VaultResolver::Address.new(value)
         entry = fetch_entry(address)
         entry&.value_for(address.attribute)
@@ -22,14 +25,18 @@ module SettingsReader
 
       # Resolve KV secret
       def kv_secret(address)
+        debug { "Fetching new kv secret at: #{address}" }
         Vault.kv(address.mount).read(address.path)
       rescue Vault::HTTPClientError => e
+        error { "Error retrieving secret at: #{address}: #{e.message}" }
         raise SettingsReader::VaultResolver::Error, e.message
       end
 
       def database_secret(address)
+        debug { "Fetching new database secret at: #{address}" }
         Vault.logical.read(address.full_path)
       rescue Vault::HTTPClientError => e
+        error { "Error retrieving database secret: #{address}: #{e.message}" }
         return nil if e.message.include?('* unknown role')
 
         raise SettingsReader::VaultResolver::Error, e.message
@@ -39,8 +46,12 @@ module SettingsReader
 
       def fetch_entry(address)
         cache.fetch(address) do
+          info { "Retrieving new secret at: #{address}" }
           if (secret = address.mount == DATABASE_MOUNT ? database_secret(address) : kv_secret(address))
+            debug { "Retrieved secret at: #{address}" }
             SettingsReader::VaultResolver::Entry.new(address, secret)
+          else
+            debug { "Secret not retrieved: #{address}" }
           end
         end
       end

data/lib/settings_reader/vault_resolver/logging.rb

@@ -0,0 +1,40 @@
+module SettingsReader
+  module VaultResolver
+    # Methods for centralized logging
+    module Logging
+      def debug(&block)
+        logger.debug do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      def info(&block)
+        logger.info do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      def warn(&block)
+        logger.warn do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      def error(&block)
+        logger.error do
+          "[VaultResolver] #{block.call}"
+        end
+        nil
+      end
+
+      private
+
+      def logger
+        SettingsReader::VaultResolver.logger
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/refresher.rb

@@ -2,6 +2,8 @@ module SettingsReader
   module VaultResolver
     # Vault Lease refresher task
     class Refresher
+      include Logging
+
       DEFAULT_RENEW_DELAY = 200
       REFRESH_INTERVAL = 60
 
@@ -10,15 +12,24 @@ module SettingsReader
       end
 
       def refresh
+        info { 'Starting Vault lease refreshing' }
         @cache.entries.each do |entry|
-          next unless entry.leased?
-          next unless entry.expires_in < DEFAULT_RENEW_DELAY
-
-          entry.renew
-        rescue SettingsReader::VaultResolver::Error => _e
-          # TODO: Log error in future. Think if we can request new secret again.
-          # Continue renewal.
+          refresh_entry(entry)
         end
+        info { 'Finished Vault lease refreshing' }
+      end
+
+      def refresh_entry(entry)
+        debug { "Checking lease for #{entry}. Leased?: #{entry.leased?}. Expires in: #{entry.expires_in}s" }
+        return unless entry.leased?
+        return unless entry.expires_in < DEFAULT_RENEW_DELAY
+
+        info { "Refreshing lease for #{entry}. Expires in: #{entry.expires_in}" }
+        entry.renew
+        info { "Lease renewed for #{entry}. Expires in: #{entry.expires_in}" }
+      rescue SettingsReader::VaultResolver::Error => e
+        error { "Error refreshing lease for #{entry}: #{e.message}" }
+        # Continue renewal.
       end
 
       def self.refresh_task(cache)

data/lib/settings_reader/vault_resolver/version.rb

@@ -1,5 +1,5 @@
 module SettingsReader
   module VaultResolver
-    VERSION = '0.2.1'.freeze
+    VERSION = '0.2.4'.freeze
   end
 end

data/lib/settings_reader/vault_resolver.rb

@@ -1,6 +1,9 @@
+require 'logger'
 require 'concurrent/timer_task'
+
 require 'settings_reader'
 require 'settings_reader/vault_resolver/version'
+require 'settings_reader/vault_resolver/logging'
 require 'settings_reader/vault_resolver/address'
 require 'settings_reader/vault_resolver/entry'
 require 'settings_reader/vault_resolver/cache'
@@ -16,11 +19,24 @@ module SettingsReader
       attr_accessor :cache, :refresher_timer_task
     end
 
+    def self.logger
+      return @logger if @logger
+      return @logger = Rails.logger if (defined? Rails) && Rails.logger
+
+      @logger = Logger.new($stdout, level: Logger::INFO)
+    end
+
+    def self.logger=(logger)
+      @logger = logger
+    end
+
     def self.setup_cache
+      logger.debug { '[VaultResolver] Setting up secrets cache' }
       self.cache ||= SettingsReader::VaultResolver::Cache.new
     end
 
     def self.setup_lease_refresher
+      logger.debug { '[VaultResolver] Setting up lease resolver task' }
       self.refresher_timer_task ||= SettingsReader::VaultResolver::Refresher.refresh_task(self.cache)
       self.refresher_timer_task.execute
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: settings_reader-vault_resolver
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.4
 platform: ruby
 authors:
 - Volodymyr Mykhailyk
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-03-03 00:00:00.000000000 Z
+date: 2022-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -84,6 +84,7 @@ files:
 - lib/settings_reader/vault_resolver/entry.rb
 - lib/settings_reader/vault_resolver/helpers/k8s_auth.rb
 - lib/settings_reader/vault_resolver/instance.rb
+- lib/settings_reader/vault_resolver/logging.rb
 - lib/settings_reader/vault_resolver/patches/authenticate.rb
 - lib/settings_reader/vault_resolver/refresher.rb
 - lib/settings_reader/vault_resolver/version.rb