Integration vault to delegator (#1465)

* delegator pk * add vault hashcorp to mod and sum * text cgo env for image for unning IDC k8s * add readme * fixed readme * changed fee payer charator
Bisonai · May 7, 2024 · e3be629 · e3be629
1 parent 2268213
commit e3be629
Show file tree

Hide file tree

Showing 8 changed files with 201 additions and 17 deletions.
diff --git a/.github/workflows/delegator.image+upload.yaml b/.github/workflows/delegator.image+upload.yaml
@@ -3,7 +3,7 @@ name: Go Delegator Deploy to Amazon ECR
 on:
   push:
     branches:
-      - master
+      - i-1456/feat/integration-vault-to-delegator
     paths:
       - "delegator/**"
 env:
@@ -95,13 +95,13 @@ jobs:
           docker tag ${{ env.ecr_url }}:latest ${{ env.ecr_url }}:v${{ needs.prepare.outputs.version }}.${{ needs.prepare.outputs.tag_date }}.${{ needs.prepare.outputs.tag_git_hash }}
           docker push ${{ env.ecr_url }}:v${{ needs.prepare.outputs.version }}.${{ needs.prepare.outputs.tag_date }}.${{ needs.prepare.outputs.tag_git_hash }}
 
-  create-helmchart-pr:
-    needs: [prepare, build]
-    uses: ./.github/workflows/create-helmchart-pr.yaml
-    with:
-      project-name: "delegator"
-      version: ${{ needs.prepare.outputs.version }}
-      tag_date: ${{ needs.prepare.outputs.tag_date }}
-      tag_git_hash: ${{ needs.prepare.outputs.tag_git_hash }}
-    secrets:
-      PAT: ${{ secrets.PAT }}
+  # create-helmchart-pr:
+  #   needs: [prepare, build]
+  #   uses: ./.github/workflows/create-helmchart-pr.yaml
+  #   with:
+  #     project-name: "delegator"
+  #     version: ${{ needs.prepare.outputs.version }}
+  #     tag_date: ${{ needs.prepare.outputs.tag_date }}
+  #     tag_git_hash: ${{ needs.prepare.outputs.tag_git_hash }}
+  #   secrets:
+  #     PAT: ${{ secrets.PAT }}
diff --git a/delegator/.env.example b/delegator/.env.example
@@ -2,5 +2,13 @@ DATABASE_URL=
 PROVIDER_URL=
 APP_PORT=
 TEST_DELEGATOR_REPORTER_PK=
+
 USE_GOOGLE_SECRET_MANAGER=
-GOOGLE_SECRET_PATH=
+GOOGLE_SECRET_PATH=
+
+USE_VAULT=
+VAULT_ADDR=
+JWT_PATH=
+VAULT_ROLE=
+VAULT_SECRET_PATH=
+VAULT_KEY_NAME=
diff --git a/delegator/README.md b/delegator/README.md
@@ -1,4 +1,3 @@
 # Go Delegator
 
-- Go implementation for delegator
-- Uses GSM (setup env vars)
+- Go implementation for delegator
diff --git a/delegator/go.mod b/delegator/go.mod
@@ -35,6 +35,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.13.0 // indirect
 	github.com/btcsuite/btcd/btcec/v2 v2.3.2 // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/clevergo/websocket v1.0.0 // indirect
 	github.com/consensys/bavard v0.1.13 // indirect
@@ -56,6 +57,7 @@ require (
 	github.com/fjl/memsize v0.0.2 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
@@ -72,14 +74,25 @@ require (
 	github.com/googleapis/gax-go/v2 v2.12.1 // indirect
 	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
+	github.com/hashicorp/vault/api v1.13.0 // indirect
+	github.com/hashicorp/vault/api/auth/kubernetes v0.6.0 // indirect
 	github.com/holiman/uint256 v1.2.4 // indirect
 	github.com/huin/goupnp v1.3.0 // indirect
 	github.com/jackpal/go-nat-pmp v1.0.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/linxGnu/grocksdb v1.8.12 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mmcloughlin/addchain v0.4.0 // indirect
 	github.com/newrelic/go-agent/v3 v3.29.1 // indirect
 	github.com/outcaste-io/ristretto v0.2.3 // indirect
@@ -96,6 +109,7 @@ require (
 	github.com/rjeczalik/notify v0.9.3 // indirect
 	github.com/rs/cors v1.10.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/steakknife/bloomfilter v0.0.0-20180922174646-6819c0d2a570 // indirect
 	github.com/steakknife/hamming v0.0.0-20180906055917-c99c65617cd3 // indirect

diff --git a/delegator/go.sum b/delegator/go.sum
diff --git a/delegator/secrets/secrets.go b/delegator/secrets/secrets.go
@@ -0,0 +1,56 @@
+package secrets
+
+import (
+	"context"
+	"fmt"
+
+	vault "github.com/hashicorp/vault/api"
+	auth "github.com/hashicorp/vault/api/auth/kubernetes"
+)
+
+type SecretEnv struct {
+	VaultRole       string
+	JwtPath         string
+	VaultSecretPath string
+	VaultKeyName    string
+}
+
+type Secrets struct {
+	FeePayer string
+}
+
+func (s *SecretEnv) GetSecretFromVaultWithKubernetesAuth() (*Secrets, error) {
+	ctx := context.Background()
+	config := vault.DefaultConfig()
+	client, err := vault.NewClient(config)
+	if err != nil {
+		return nil, fmt.Errorf("unable to initialize Vault client: %w", err)
+	}
+
+	k8sAuth, err := auth.NewKubernetesAuth(
+		s.VaultRole,
+		auth.WithServiceAccountTokenPath(s.JwtPath),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
+	}
+
+	authInfo, err := client.Auth().Login(ctx, k8sAuth)
+	if err != nil {
+		return nil, fmt.Errorf("unable to log in with Kubernetes auth: %w", err)
+	}
+	if authInfo == nil {
+		return nil, fmt.Errorf("no auth info was returned after login")
+	}
+
+	secrets, err := client.KVv2(s.VaultSecretPath).Get(context.Background(), s.VaultKeyName)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read secret: %w", err)
+	}
+
+	secretDataSet := &Secrets{
+		FeePayer: secrets.Data["FEE_PAYER"].(string),
+	}
+
+	return secretDataSet, nil
+}
diff --git a/delegator/utils/utils.go b/delegator/utils/utils.go
@@ -11,6 +11,7 @@ import (
 	"strconv"
 	"strings"
 
+	"bisonai.com/orakl/delegator/secrets"
 	secretmanager "cloud.google.com/go/secretmanager/apiv1"
 	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
 	"github.com/gofiber/fiber/v2"
@@ -85,12 +86,17 @@ func InitFeePayerPK(ctx context.Context, pgxPool *pgxpool.Pool) error {
 	}
 
 	useGoogleSecretManager, _ := strconv.ParseBool(os.Getenv("USE_GOOGLE_SECRET_MANAGER"))
-
+	useVault, _ := strconv.ParseBool(os.Getenv("USE_VAULT"))
 	if useGoogleSecretManager {
 		feePayer, err = LoadFeePayerFromGSM(ctx)
 		if err != nil {
 			return err
 		}
+	} else if useVault {
+		feePayer, err = LoadFeePayerFromVault(ctx)
+		if err != nil {
+			return err
+		}
 	} else {
 		feePayer, err = LoadFeePayer(pgxPool)
 		if err != nil {
@@ -323,3 +329,27 @@ func GetPublicKey(pk string) (string, error) {
 	address := crypto.PubkeyToAddress(*publicKeyECDSA)
 	return address.String(), nil
 }
+
+func LoadFeePayerFromVault(ctx context.Context) (string, error) {
+	feePayer := ""
+	vaultRole := os.Getenv("VAULT_ROLE")
+	jwtPath := os.Getenv("JWT_PATH")
+	vaultSecretPath := os.Getenv("VAULT_SECRET_PATH")
+	vaultKeyName := os.Getenv("VAULT_KEY_NAME")
+
+	if vaultRole != "" && jwtPath != "" && vaultSecretPath != "" && vaultKeyName != "" {
+		secretsEnv := secrets.SecretEnv{
+			VaultRole:       vaultRole,
+			JwtPath:         jwtPath,
+			VaultSecretPath: vaultSecretPath,
+			VaultKeyName:    vaultKeyName,
+		}
+
+		secrets, err := secretsEnv.GetSecretFromVaultWithKubernetesAuth()
+		if err != nil {
+			return "", err
+		}
+		feePayer = secrets.FeePayer
+	}
+	return feePayer, nil
+}
diff --git a/dockerfiles/orakl-delegator.Dockerfile b/dockerfiles/orakl-delegator.Dockerfile
@@ -9,8 +9,7 @@ COPY delegator delegator
 WORKDIR /app/delegator
 
 # https://github.com/klaytn/klaytn/issues/197#issuecomment-612597933
-RUN CGO_ENABLED=1 CC=x86_64-linux-gnu-gcc GOOS=linux GOARCH=amd64 go build -o delegatorbin -ldflags="-w -s" .
-
+RUN CGO_ENABLED=1 CGO_CFLAGS="-O -D__BLST_PORTABLE__" CGO_CFLAGS_ALLOW="-O -D__BLST_PORTABLE__" CC=x86_64-linux-gnu-gcc GOOS=linux GOARCH=amd64 go build -o delegatorbin -ldflags="-w -s" .
 # debian:bullseye-slim
 FROM debian@sha256:4b48997afc712259da850373fdbc60315316ee72213a4e77fc5a66032d790b2a