Skip to content

Commit

Permalink
Fix to use postgres as the controller credential store
Browse files Browse the repository at this point in the history
  • Loading branch information
kian99 committed Jul 28, 2023
1 parent a01ba7e commit 29034d5
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 13 deletions.
5 changes: 5 additions & 0 deletions internal/jujuclient/dial.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,11 @@ func (d *Dialer) Dial(ctx context.Context, ctl *dbmodel.Controller, modelTag nam
}
}

if username == "" || password == "" {
zapctx.Error(ctx, "empty username or password")
return nil, errors.E(op, errors.CodeNotFound, "missing controller username or password")
}

args := jujuparams.LoginRequest{
AuthTag: names.NewUserTag(username).String(),
Credentials: password,
Expand Down
38 changes: 25 additions & 13 deletions service.go
Original file line number Diff line number Diff line change
Expand Up @@ -292,23 +292,13 @@ func NewService(ctx context.Context, p Params) (*Service, error) {
if err != nil {
return nil, errors.E(op, err)
}
vs, err := newVaultStore(ctx, p)
if err != nil {
zapctx.Error(ctx, "Vault Store error", zap.Error(err))

if err := s.setupSecretStore(ctx, p); err != nil {
return nil, errors.E(op, err)
}
if vs != nil {
s.jimm.CredentialStore = vs
} else {
// Only enable Postgres storage for secrets if explictly enabled.
if _, ok := os.LookupEnv("INSECURE_SECRET_STORAGE"); ok {
zapctx.Warn(ctx, "using plaintext postgres for secret storage")
s.jimm.CredentialStore = &s.jimm.Database
}
}

s.jimm.Dialer = &jujuclient.Dialer{
ControllerCredentialsStore: vs,
ControllerCredentialsStore: s.jimm.CredentialStore,
}
if !p.DisableConnectionCache {
s.jimm.Dialer = jimm.CacheDialer(s.jimm.Dialer)
Expand Down Expand Up @@ -472,6 +462,28 @@ func newAuthenticator(ctx context.Context, db *db.Database, client *ofgaClient.O
}, nil
}

func (s *Service) setupSecretStore(ctx context.Context, p Params) error {
const op = errors.Op("newSecretStore")
vs, err := newVaultStore(ctx, p)
if err != nil {
zapctx.Error(ctx, "Vault Store error", zap.Error(err))
return errors.E(op, err)
}
if vs != nil {
s.jimm.CredentialStore = vs
} else {
// Only enable Postgres storage for secrets if explictly enabled.
if _, ok := os.LookupEnv("INSECURE_SECRET_STORAGE"); ok {
zapctx.Warn(ctx, "using plaintext postgres for secret storage")
s.jimm.CredentialStore = &s.jimm.Database
}
}
if s.jimm.CredentialStore == nil {
return errors.E(op, "no credential store setup")
}
return nil
}

func newVaultStore(ctx context.Context, p Params) (jimmcreds.CredentialStore, error) {
if p.VaultSecretFile == "" {
return nil, nil
Expand Down

0 comments on commit 29034d5

Please sign in to comment.