Skip to content

Commit

Permalink
Fixes Hashivault configuration with Chains
Browse files Browse the repository at this point in the history
Initially when kms was misconfigured, then the chains
controller pod was getting panic and ended up getting
crashed

Hence, this patch checks it the vault address is valid
and if it is not valid, then returns the error which
handles the pod from getting panic and crashed

Signed-off-by: PuneetPunamiya <[email protected]>
  • Loading branch information
PuneetPunamiya committed Sep 24, 2023
1 parent 52b918e commit cc2bb93
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 2 deletions.
21 changes: 19 additions & 2 deletions pkg/chains/signing/kms/kms.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,9 @@ package kms
import (
"context"
"crypto"

"github.com/tektoncd/chains/pkg/config"
"net"
"net/url"
"time"

"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/kms"
Expand All @@ -27,6 +28,7 @@ import (
_ "github.com/sigstore/sigstore/pkg/signature/kms/gcp"
_ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault"
"github.com/sigstore/sigstore/pkg/signature/options"
"github.com/tektoncd/chains/pkg/config"

"github.com/spiffe/go-spiffe/v2/svid/jwtsvid"
"github.com/spiffe/go-spiffe/v2/workloadapi"
Expand All @@ -41,6 +43,21 @@ type Signer struct {
// NewSigner returns a configured Signer
func NewSigner(ctx context.Context, cfg config.KMSSigner) (*Signer, error) {
kmsOpts := []signature.RPCOption{}

// Checks if the vault address provide by the user is a valid address or not
if cfg.Auth.Address != "" {
vaultAddress, err := url.Parse(cfg.Auth.Address)
if err != nil {
return nil, err
}

conn, err := net.DialTimeout("tcp", vaultAddress.Host, 5*time.Second)
if err != nil {
return nil, err
}
defer conn.Close()
}

// pass through configuration options to RPCAuth used by KMS in sigstore
rpcAuth := options.RPCAuth{
Address: cfg.Auth.Address,
Expand Down
45 changes: 45 additions & 0 deletions pkg/chains/signing/kms/kms_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
/*
Copyright 2023 The Tekton Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Package kms creates a signer using a key management server

package kms

import (
"context"
"testing"

"github.com/tektoncd/chains/pkg/config"
)

func TestInValidVaultAddressTimeout(t *testing.T) {
cfg := config.KMSSigner{}
cfg.Auth.Address = "http://8.8.8.8:8200"

_, err := NewSigner(context.TODO(), cfg)
expectedErrorMessage := "dial tcp 8.8.8.8:8200: i/o timeout"
if err.Error() != expectedErrorMessage {
t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error())
}
}

func TestInValidVaultAddressConnectionRefused(t *testing.T) {
cfg := config.KMSSigner{}
cfg.Auth.Address = "http://127.0.0.1:8200"

_, err := NewSigner(context.TODO(), cfg)
expectedErrorMessage := "dial tcp 127.0.0.1:8200: connect: connection refused"
if err.Error() != expectedErrorMessage {
t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error())
}
}

0 comments on commit cc2bb93

Please sign in to comment.