settings_reader-vault_resolver 0.2.2 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16ca7880831b27b05c24651940a1dab796b792f7d98229f2f01e229ffcee5662
-  data.tar.gz: ff8e434b0512ce66772e8f99b16761ea51597614b195abb91889a5543ba88267
+  metadata.gz: c1a6da72b08435eb9eae6bff284c09d0ab717de2e73e3bfea7e4bdc255b1bf2b
+  data.tar.gz: 2003918d4ad830d9dc4ab0127ec0e970eb2994e66e42ce8fb3f3936e1bb2e476
 SHA512:
-  metadata.gz: e1476c785e7369a2a2f3d4ee47a149cfd3c1fc2ebf333a94a1ec158c564584995ced9392fa08e1be9ec16ba166c0f20899414e02622473a4d0058ef5d70abce2
-  data.tar.gz: 8c1a40bd635b8e9de7193114618a0669e3c9d3ffabae250ff5efc416a31636c199584bb7e474373ead29bde9e85e281adbba0e7ba123358e1729d0e599bf17bf
+  metadata.gz: 4d4618260512414b329893c4651f1594398f34a5d54d94b0afe0989aa57f54208d85c16dae2f43fd0df3a0842f40c05e87202477a0c04dba9c6c0341f401f108
+  data.tar.gz: 6880bd9a5166bd7a01c2444fb4ce520a724c6df1ea6b4ec3ab1e844d4216602cd80b3d04b7d3b40dccbc3d9d3c7e808b54a818e2dadf78f9c9c400df4ea379dd

data/CHANGELOG.md

@@ -1,5 +1,29 @@
 ## [Unreleased]
 
+## [0.3.0]
+### Breaking changes
+- Require configuration before use
+
+### New features
+- Gem configurations
+- Require configuration before use
+- Report renew errors via configuration listeners
+
+### Fixes
+- Cleanup logging
+
+## [0.2.4]
+### Fixes
+- Fix refresher task logging
+
+## [0.2.3]
+### Fixes
+- Fix logging setup when gem loaded before rails
+
+## [0.2.2]
+### New features
+- Add logging to gem
+
 ## [0.2.1]
 ### Fixes
 - Use default k8s auth route without namespace 
@@ -21,7 +45,11 @@
 - Secrets caching
 - Automatic secrets lease renewal
 
-[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.2.1...HEAD
+[Unreleased]: https://github.com/matic-insurance/settings_reader-vault_resolver/compare/0.3.0...HEAD
+[0.2.4]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.3.0
+[0.2.4]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.4
+[0.2.3]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.3
+[0.2.2]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.2
 [0.2.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.1
 [0.2.0]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.2.0
 [0.1.1]: https://github.com/matic-insurance/settings_reader-vault_resolver/commits/0.1.1

data/README.md

@@ -28,7 +28,13 @@ Vault.token = 'MY_SUPER_SECRET_TOKEN'
 
 #Load Settings Reader and configure resolver
 AppSettings = SettingsReader.load do |config|
-  # ... Other configurations
+  # ... SettingReader configurations
+  
+  # Configure vault resolver
+  SettingsReader::VaultResolver.configure do |vault_resolver_config|
+    vault_resolver_config.logger = Rails.logger
+    # ... VaultResolver configurations
+  end
   
   # Add vault resolver as one of resolvers
   config.resolvers << SettingsReader::VaultResolver.resolver

data/codecov.yml

@@ -0,0 +1,12 @@
+codecov:
+  require_ci_to_pass: yes
+
+coverage:
+  precision: 2
+  round: up
+  range: "90...100"
+
+ignore:
+  - "spec"
+  - "bin"
+  - "local"

data/lib/settings_reader/vault_resolver/configuration.rb

@@ -0,0 +1,45 @@
+module SettingsReader
+  module VaultResolver
+    # Configurations for vault resolver
+    class Configuration
+      # Logger for gem
+      # Default: Logger.new(STDOUT, level: Logger::ERROR)
+      attr_accessor :logger
+
+      # How often do we check if secret lease is about to expire
+      # Default: 60seconds
+      attr_accessor :lease_refresh_interval
+
+      # Time before expiration when we try to renew the lease
+      # Default: 300seconds
+      attr_accessor :lease_renew_delay
+
+      # Block to be executed when lease is refreshed
+      # Default: empty proc
+      attr_accessor :lease_renew_success_listener
+
+      # Block to be executed when lease is not refreshed
+      # Default: empty proc
+      attr_accessor :lease_renew_error_listener
+
+      def initialize
+        @logger = Logger.new($stdout, level: Logger::ERROR)
+        @lease_refresh_interval = 60
+        @lease_renew_delay = 300
+        @lease_renew_error_listener = proc {}
+        @lease_renew_success_listener = proc {}
+      end
+
+      def setup_lease_refresher(cache, previous_task = nil)
+        previous_task&.shutdown
+
+        timer_task = Concurrent::TimerTask.new(execution_interval: lease_refresh_interval) do
+          SettingsReader::VaultResolver::Refresher.new(cache, self).refresh
+        end
+        timer_task.add_observer(SettingsReader::VaultResolver::RefresherObserver.new(self))
+        timer_task.execute
+        timer_task
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/instance.rb

@@ -9,6 +9,12 @@ module SettingsReader
       IDENTIFIER = 'vault://'.freeze
       DATABASE_MOUNT = 'database'.freeze
 
+      attr_reader :config
+
+      def initialize(config)
+        @config = config
+      end
+
       def resolvable?(value, _path)
         return unless value.respond_to?(:start_with?)
 
@@ -28,7 +34,6 @@ module SettingsReader
         debug { "Fetching new kv secret at: #{address}" }
         Vault.kv(address.mount).read(address.path)
       rescue Vault::HTTPClientError => e
-        error { "Error retrieving secret at: #{address}: #{e.message}" }
         raise SettingsReader::VaultResolver::Error, e.message
       end
 
@@ -36,7 +41,6 @@ module SettingsReader
         debug { "Fetching new database secret at: #{address}" }
         Vault.logical.read(address.full_path)
       rescue Vault::HTTPClientError => e
-        error { "Error retrieving database secret: #{address}: #{e.message}" }
         return nil if e.message.include?('* unknown role')
 
         raise SettingsReader::VaultResolver::Error, e.message
@@ -50,10 +54,11 @@ module SettingsReader
           if (secret = address.mount == DATABASE_MOUNT ? database_secret(address) : kv_secret(address))
             debug { "Retrieved secret at: #{address}" }
             SettingsReader::VaultResolver::Entry.new(address, secret)
-          else
-            debug { "Secret not retrieved: #{address}" }
           end
         end
+      rescue StandardError => e
+        error { "Error retrieving secret: #{address}: #{e.message}" }
+        raise e
       end
 
       def cache

data/lib/settings_reader/vault_resolver/logging.rb

@@ -3,37 +3,34 @@ module SettingsReader
     # Methods for centralized logging
     module Logging
       def debug(&block)
-        logger.debug do
-          "[VaultResolver] #{block.call}"
-        end
-        nil
+        log_message(Logger::DEBUG, &block)
       end
 
       def info(&block)
-        logger.info do
-          "[VaultResolver] #{block.call}"
-        end
-        nil
+        log_message(Logger::INFO, &block)
       end
 
       def warn(&block)
-        logger.warn do
-          "[VaultResolver] #{block.call}"
-        end
-        nil
+        log_message(Logger::WARN, &block)
       end
 
       def error(&block)
-        logger.error do
+        log_message(Logger::ERROR, &block)
+      end
+
+      private
+
+      def log_message(severity, &block)
+        logger&.log(severity) do
           "[VaultResolver] #{block.call}"
+        rescue StandardError => _e
+          # Ignoring errors in log message
         end
         nil
       end
 
-      private
-
       def logger
-        @logger ||= SettingsReader::VaultResolver.logger
+        config.logger
       end
     end
   end

data/lib/settings_reader/vault_resolver/refresher.rb

@@ -1,3 +1,5 @@
+require 'concurrent/promise'
+
 module SettingsReader
   module VaultResolver
     # Vault Lease refresher task
@@ -7,30 +9,34 @@ module SettingsReader
       DEFAULT_RENEW_DELAY = 200
       REFRESH_INTERVAL = 60
 
-      def initialize(cache)
+      attr_reader :cache, :config
+
+      def initialize(cache, config)
         @cache = cache
+        @config = config
       end
 
       def refresh
-        @cache.entries.each do |entry|
+        info { 'Performing Vault leases refresh' }
+        promises = cache.entries.map do |entry|
           debug { "Checking lease for #{entry}. Leased?: #{entry.leased?}. Expires in: #{entry.expires_in}s" }
-          next unless entry.leased?
-          next unless entry.expires_in < DEFAULT_RENEW_DELAY
+          refresh_entry(entry)
+        end.compact
+        promises.each(&:wait)
+        promises
+      end
+
+      def refresh_entry(entry)
+        return unless entry.leased? && entry.expires_in < config.lease_renew_delay
 
-          info { "Refreshing lease for #{entry}. Expires in: #{entry.expires_in}" }
+        Concurrent::Promise.execute do
+          debug { "Refreshing lease for #{entry}. Expires in: #{entry.expires_in}" }
           entry.renew
           info { "Lease renewed for #{entry}. Expires in: #{entry.expires_in}" }
-        rescue SettingsReader::VaultResolver::Error => e
+          entry
+        rescue StandardError => e
           error { "Error refreshing lease for #{entry}: #{e.message}" }
-          # Continue renewal.
-        end
-      end
-
-      def self.refresh_task(cache)
-        refresher = self
-        Concurrent::TimerTask.new(execution_interval: refresher::REFRESH_INTERVAL) do
-          info { 'Refreshing Vault leases' }
-          refresher.new(cache).refresh
+          raise SettingsReader::VaultResolver::Error, e.message
         end
       end
     end

data/lib/settings_reader/vault_resolver/refresher_observer.rb

@@ -0,0 +1,30 @@
+module SettingsReader
+  module VaultResolver
+    # Check lease refresh result and report problems if needed
+    class RefresherObserver
+      attr_reader :config
+
+      def initialize(config)
+        @config = config
+      end
+
+      def update(_time, result, error)
+        if result
+          result.map do |promise|
+            promise.on_success(&method(:notify_success)).on_error(&method(:notify_error))
+          end.each(&:wait)
+        else
+          notify_error(error)
+        end
+      end
+
+      def notify_success(result)
+        config.lease_renew_success_listener.call(result)
+      end
+
+      def notify_error(result)
+        config.lease_renew_error_listener.call(result)
+      end
+    end
+  end
+end

data/lib/settings_reader/vault_resolver/version.rb

@@ -1,5 +1,5 @@
 module SettingsReader
   module VaultResolver
-    VERSION = '0.2.2'.freeze
+    VERSION = '0.3.0'.freeze
   end
 end

data/lib/settings_reader/vault_resolver.rb

@@ -4,10 +4,12 @@ require 'concurrent/timer_task'
 require 'settings_reader'
 require 'settings_reader/vault_resolver/version'
 require 'settings_reader/vault_resolver/logging'
+require 'settings_reader/vault_resolver/configuration'
 require 'settings_reader/vault_resolver/address'
 require 'settings_reader/vault_resolver/entry'
 require 'settings_reader/vault_resolver/cache'
 require 'settings_reader/vault_resolver/refresher'
+require 'settings_reader/vault_resolver/refresher_observer'
 require 'settings_reader/vault_resolver/instance'
 
 module SettingsReader
@@ -16,30 +18,23 @@ module SettingsReader
     class Error < StandardError; end
 
     class << self
-      attr_accessor :cache, :refresher_timer_task
+      attr_reader :configuration, :refresher_timer_task
     end
 
-    def self.logger
-      return @logger if @logger
-      return @logger = Rails.logger if defined? Rails
-
-      @logger = Logger.new($stdout, level: Logger::INFO)
-    end
-
-    def self.setup_cache
-      self.cache ||= SettingsReader::VaultResolver::Cache.new
+    def self.configure(&block)
+      @configuration = SettingsReader::VaultResolver::Configuration.new
+      block&.call(@configuration)
+      @refresher_timer_task = @configuration.setup_lease_refresher(cache, refresher_timer_task)
     end
 
-    def self.setup_lease_refresher
-      self.refresher_timer_task ||= SettingsReader::VaultResolver::Refresher.refresh_task(self.cache)
-      self.refresher_timer_task.execute
+    def self.cache
+      @cache ||= SettingsReader::VaultResolver::Cache.new
     end
 
     def self.resolver
-      SettingsReader::VaultResolver::Instance.new
-    end
+      raise Error, 'Gem not configured. Call configure before getting resolver' unless configuration
 
-    setup_cache
-    setup_lease_refresher
+      SettingsReader::VaultResolver::Instance.new(configuration)
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: settings_reader-vault_resolver
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
 platform: ruby
 authors:
 - Volodymyr Mykhailyk
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-03-28 00:00:00.000000000 Z
+date: 2022-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
@@ -77,16 +77,19 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- codecov.yml
 - docker-compose.yml
 - lib/settings_reader/vault_resolver.rb
 - lib/settings_reader/vault_resolver/address.rb
 - lib/settings_reader/vault_resolver/cache.rb
+- lib/settings_reader/vault_resolver/configuration.rb
 - lib/settings_reader/vault_resolver/entry.rb
 - lib/settings_reader/vault_resolver/helpers/k8s_auth.rb
 - lib/settings_reader/vault_resolver/instance.rb
 - lib/settings_reader/vault_resolver/logging.rb
 - lib/settings_reader/vault_resolver/patches/authenticate.rb
 - lib/settings_reader/vault_resolver/refresher.rb
+- lib/settings_reader/vault_resolver/refresher_observer.rb
 - lib/settings_reader/vault_resolver/version.rb
 - settings_reader-vault_resolver.gemspec
 homepage: https://github.com/matic-insurance/settings_reader-vault_resolver