From da12adc1454f8bd1226e83b9616c3ba686a0fa4c Mon Sep 17 00:00:00 2001 From: Kian Parvin Date: Fri, 28 Jul 2023 12:33:13 +0200 Subject: [PATCH] Fix to use postgres as the controller credential store --- internal/jujuclient/dial.go | 5 +++++ service.go | 38 ++++++++++++++++++++++++------------- 2 files changed, 30 insertions(+), 13 deletions(-) diff --git a/internal/jujuclient/dial.go b/internal/jujuclient/dial.go index c1dfdc835..f63e3a4b6 100644 --- a/internal/jujuclient/dial.go +++ b/internal/jujuclient/dial.go @@ -120,6 +120,11 @@ func (d *Dialer) Dial(ctx context.Context, ctl *dbmodel.Controller, modelTag nam } } + if username == "" || password == "" { + zapctx.Error(ctx, "empty username or password") + return nil, errors.E(op, errors.CodeNotFound, "missing controller username or password") + } + args := jujuparams.LoginRequest{ AuthTag: names.NewUserTag(username).String(), Credentials: password, diff --git a/service.go b/service.go index 0d2b0be1d..e4260b380 100644 --- a/service.go +++ b/service.go @@ -292,23 +292,13 @@ func NewService(ctx context.Context, p Params) (*Service, error) { if err != nil { return nil, errors.E(op, err) } - vs, err := newVaultStore(ctx, p) - if err != nil { - zapctx.Error(ctx, "Vault Store error", zap.Error(err)) + + if err := s.setupSecretStore(ctx, p); err != nil { return nil, errors.E(op, err) } - if vs != nil { - s.jimm.CredentialStore = vs - } else { - // Only enable Postgres storage for secrets if explictly enabled. - if _, ok := os.LookupEnv("INSECURE_SECRET_STORAGE"); ok { - zapctx.Warn(ctx, "using plaintext postgres for secret storage") - s.jimm.CredentialStore = &s.jimm.Database - } - } s.jimm.Dialer = &jujuclient.Dialer{ - ControllerCredentialsStore: vs, + ControllerCredentialsStore: s.jimm.CredentialStore, } if !p.DisableConnectionCache { s.jimm.Dialer = jimm.CacheDialer(s.jimm.Dialer) @@ -472,6 +462,28 @@ func newAuthenticator(ctx context.Context, db *db.Database, client *ofgaClient.O }, nil } +func (s *Service) setupSecretStore(ctx context.Context, p Params) error { + const op = errors.Op("newSecretStore") + vs, err := newVaultStore(ctx, p) + if err != nil { + zapctx.Error(ctx, "Vault Store error", zap.Error(err)) + return errors.E(op, err) + } + if vs != nil { + s.jimm.CredentialStore = vs + } else { + // Only enable Postgres storage for secrets if explictly enabled. + if _, ok := os.LookupEnv("INSECURE_SECRET_STORAGE"); ok { + zapctx.Warn(ctx, "using plaintext postgres for secret storage") + s.jimm.CredentialStore = &s.jimm.Database + } + } + if s.jimm.CredentialStore == nil { + return errors.E(op, "no credential store setup") + } + return nil +} + func newVaultStore(ctx context.Context, p Params) (jimmcreds.CredentialStore, error) { if p.VaultSecretFile == "" { return nil, nil