tkellen · April 30, 2024 13:53 · Apr 30, 2024 · Apr 30, 2024
diff --git a/pod logs b/pod logs
@@ -0,0 +1,55 @@
+❯ k logs -n secret-test fetch-7cdf46d6c5-pgqsq
+INFO 2024/04/30 13:44:08.673560 log.go:106: logger level set to:  3
+INFO 2024/04/30 13:44:08.673652 eventual_consistency.go:76: (pid=1, gid=1) OCI_GO_SDK_EC_CONFIG: Unknown ec mode '', assuming 'inprocess'
+INFO 2024/04/30 13:44:08.673671 log.go:106: logger level set to:  3
+2024/04/30 13:44:08 Starting secret test...
+DEBUG 2024/04/30 13:44:08.673852 common.go:562: No Developer Tool Config File provided.
+DEBUG 2024/04/30 13:44:08.673867 federation_client_oke_workload_identity.go:54: Refreshing session key
+INFO 2024/04/30 13:44:08.736887 federation_client_oke_workload_identity.go:182: Renewing security token at: 13:44:08.736
+INFO 2024/04/30 13:44:08.736939 federation_client_oke_workload_identity.go:59: Public Key for OKE Workload Identity is:%!(EXTRA string=-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9Y6nmt+nNHJxR+tyNQW
+V+IFBHfc7be1qIYk29k9w1VhVuPobG2nCwkaZAvRCdhCNutLa/aQ3DK0d4hDNDq5
+UZvqL8FS9HVJ1soDHOgnqaj54OcFkmMcq7MgsomclIuPlj0Snqi2j7rTTXlwHopT
+T+deQApr1ZDSRbt3sRZ5A7g9EsvNMW8wBowmsF77vtAuZUFlurc8349lgV0SSGtS
+7puv7MmPStAkPHffrNcdIvvRrvsIrCLbDTm/tMMf6oX3b/bEyZNXOCjzY0no3y7D
+Cg4pa3WAczNG/Q8PUcXE6AcKmUQ6XYt0HV/DcSvd933KU3som6qSeMEWbWVNnyAn
+vQIDAQAB
+-----END PUBLIC KEY-----
+)
+INFO 2024/04/30 13:44:08.736994 federation_client_oke_workload_identity.go:59: Payload for OKE Workload Identity is:%!(EXTRA string={"podKey":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9Y6nmt+nNHJxR+tyNQW\nV+IFBHfc7be1qIYk29k9w1VhVuPobG2nCwkaZAvRCdhCNutLa/aQ3DK0d4hDNDq5\nUZvqL8FS9HVJ1soDHOgnqaj54OcFkmMcq7MgsomclIuPlj0Snqi2j7rTTXlwHopT\nT+deQApr1ZDSRbt3sRZ5A7g9EsvNMW8wBowmsF77vtAuZUFlurc8349lgV0SSGtS\n7puv7MmPStAkPHffrNcdIvvRrvsIrCLbDTm/tMMf6oX3b/bEyZNXOCjzY0no3y7D\nCg4pa3WAczNG/Q8PUcXE6AcKmUQ6XYt0HV/DcSvd933KU3som6qSeMEWbWVNnyAn\nvQIDAQAB\n-----END PUBLIC KEY-----\n"})
+INFO 2024/04/30 13:44:08.737085 federation_client_oke_workload_identity.go:59: Service Account Token for OKE Workload Identity is: %!(EXTRA string=eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5Nb1lFQmd5bm1URnBXQm1oQnZ0LWQ5MEloVFY5LXY2UVlDUlhlNHV6WkUifQ.eyJhdWQiOlsiYXBpIl0sImV4cCI6MTc0NjAyMDY0NywiaWF0IjoxNzE0NDg0NjQ3LCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbCIsImt1YmVybmV0ZXMuaW8iOnsibmFtZXNwYWNlIjoic2VjcmV0LXRlc3QiLCJwb2QiOnsibmFtZSI6ImZldGNoLTdjZGY0NmQ2YzUtcGdxc3EiLCJ1aWQiOiIyOGU1OGI3My0xNzg4LTRjOGEtOTVhNy1iZjA4OGRlYzk5ZDUifSwic2VydmljZWFjY291bnQiOnsibmFtZSI6InNlY3JldC10ZXN0IiwidWlkIjoiOThjMjUxNWYtMDg3ZS00MjdjLWFkNTItNGEwNDcyMzEyMjIyIn0sIndhcm5hZnRlciI6MTcxNDQ4ODI1NH0sIm5iZiI6MTcxNDQ4NDY0Nywic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnNlY3JldC10ZXN0OnNlY3JldC10ZXN0In0.rDZS3RLDYVU9gr5PsKKouc2-XPYlz_bfkbJyNtTw4zVLtQpPcILhF_2Eq4bPrAXTo56h_OtMG4xeeCNS6BEher4op7ftpmbzx61kDWr7qT4TM4fSSlENibEXOSkRBxedOOxHibsvLM3lRcuSNxtWiRNQ7ewgAKP0V3appzV7_13nEgpUJFYLjz95iaZPzBSvvz8D1V8kh3vCuw77jKQP0exz2I4pCBPjkXO8AEgyscrK8AS8fR0TdKkyhBHlY7W7DxC1Uv4NVc5J2J7JrQvd5NK-1blazwcl7EIYn8T8tF8Z-TXolV1gl9fmCQYKrB975vmqRXPzKbB-bXze5yGnkQ)
+INFO 2024/04/30 13:44:08.789749 federation_client_oke_workload_identity.go:182: Security token renewed at: 13:44:08.789
+DEBUG 2024/04/30 13:44:08.789826 client.go:237: Setting the default refresh interval 30 for custom certs
+2024/04/30 13:44:08 Fetching secret test-secret from vault ocid1.vault.oc1.iad.ejtdbtklaaeac.abuwcljrrnjnyaah7q3yggwlqbecagaqz4dx4x6bhvp5hoxutgwsxp6twkha
+DEBUG 2024/04/30 13:44:08.789913 eventual_consistency.go:332: (pid=1, gid=8) EcContext.GetEndOfWindow returns <nil>
+DEBUG 2024/04/30 13:44:08.789929 retry.go:455: Use default timing and strategy, no EC window set
+DEBUG 2024/04/30 13:44:08.789947 asm_amd64.s:1695: Retry policy to use: {MaximumNumberAttempts=8, MinSleepBetween=0, MaxSleepBetween=30, ExponentialBackoffBase=2, NonEventuallyConsistentPolicy=<nil>}
+DEBUG 2024/04/30 13:44:08.789954 asm_amd64.s:1695: operation attempt #1
+DEBUG 2024/04/30 13:44:08.789967 http.go:725: Marshaling to Request: GetSecretBundleByNameRequest
+DEBUG 2024/04/30 13:44:08.789979 http.go:645: Marshaling to query from field: SecretName
+DEBUG 2024/04/30 13:44:08.790012 http.go:645: Marshaling to query from field: VaultId
+DEBUG 2024/04/30 13:44:08.790022 http.go:639: Marshaling to header from field: OpcRequestId
+DEBUG 2024/04/30 13:44:08.790033 http.go:520: add request id for header: opc-request-id, with value: 64bed2bc8f0edc662a3dc2bc6d93e312
+DEBUG 2024/04/30 13:44:08.790043 http.go:645: Marshaling to query from field: VersionNumber
+DEBUG 2024/04/30 13:44:08.790051 http.go:645: Query parameter value is not mandatory and is nil pointer in field: VersionNumber. Skipping query
+DEBUG 2024/04/30 13:44:08.790058 http.go:645: Marshaling to query from field: SecretVersionName
+DEBUG 2024/04/30 13:44:08.790064 http.go:645: Query parameter value is not mandatory and is nil pointer in field: SecretVersionName. Skipping query
+DEBUG 2024/04/30 13:44:08.790071 http.go:645: Marshaling to query from field: Stage
+DEBUG 2024/04/30 13:44:08.790077 http.go:645: Omitting Stage, is empty and omitEmpty tag is set
+DEBUG 2024/04/30 13:44:08.790087 http.go:698: RequestMetadata does not contain contributes tag. Skipping.
+DEBUG 2024/04/30 13:44:08.790094 client.go:624: Attempting to call downstream service
+DEBUG 2024/04/30 13:44:08.792328 client.go:696: Dump Request POST /20190301/secretbundles/actions/getByName?secretName=test-secret&vaultId=ocid1.vault.oc1.iad.ejtdbtklaaeac.abuwcljrrnjnyaah7q3yggwlqbecagaqz4dx4x6bhvp5hoxutgwsxp6twkha HTTP/1.1
+Host: secrets.vaults.us-ashburn-1.oci.oraclecloud.com
+User-Agent: Oracle-GoSDK/65.64.0 (linux/amd64; go/go1.22.1)
+Content-Length: 0
+Accept: */*
+Authorization: Signature version="1",headers="date (request-target) host content-length content-type x-content-sha256",keyId="ST$eyJraWQiOiJhc3dfb2MxX2o0eGQiLCJhbGciOiJSUzI1NiJ9.eyJzdmNUZW5hbnRJZCI6Im9jaWQxLnRlbmFuY3kub2MxLi5hYWFhYWFhYTV2cnR1NGJqY3FwanZid29yaXdmZmdjY3JncmJrdW02NG10bjMzeXJjY2pycXB6dXlhcmEiLCJzdWIiOiJvY2lkMS53b3JrbG9hZC5vYzEuaWFkLmNzZHZza3R2emhhLm1kYXdtZGs0eXppMW10dm1tZGczenRxeW4ybmh6ZHV5bmdld25kY3ltemV5bWppeSIsInN2YyI6Im9rZSIsImlzcyI6ImF1dGhTZXJ2aWNlLm9yYWNsZS5jb20iLCJyZXNfdGVuYW50Ijoib2NpZDEudGVuYW5jeS5vYzEuLmFhYWFhYWFhNGpmb3dqdWZub3p0Z3YzM3pienRkcXoyZXI1ZjZhb2FxZzN1a3ZkN3dvbGFzN3I1N3phcSIsInB0eXBlIjoicmVzb3VyY2UiLCJyZXNfdHlwZSI6Indvcmtsb2FkIiwiYXVkIjoib2NpIiwidmFyX3NlcnZpY2VfYWNjb3VudCI6InNlY3JldC10ZXN0IiwidmFyX25hbWVzcGFjZSI6InNlY3JldC10ZXN0IiwidmFyX2NsdXN0ZXJfaWQiOiJvY2lkMS5jbHVzdGVyLm9jMS5pYWQuYWFhYWFhYWF6M2Jpc3gyZHZramM0NG9nM2ZzYmp0d3VzZWlkZ2UyNmV6czNwaWFvMmNzZHZza3R2emhhIiwidmFyX2NsdXN0ZXJfY29tcGFydG1lbnRfaWQiOiJvY2lkMS5jb21wYXJ0bWVudC5vYzEuLmFhYWFhYWFham1sbnpmam5ldXc2ZmF4NXNqM21ld3ZteGd5djNpbmxzYjRzMmFmd3NqNGwyaTNqcWNiYSIsInJlc19pZCI6Im9jaWQxLndvcmtsb2FkLm9jMS5pYWQuY3NkdnNrdHZ6aGEubWRhd21kazR5emkxbXR2bW1kZzN6dHF5bjJuaHpkdXluZ2V3bmRjeW16ZXltaml5IiwidHR5cGUiOiJyZXNfc3AiLCJyZXNfY29tcGFydG1lbnQiOiJvY2lkMS5jb21wYXJ0bWVudC5vYzEuLmFhYWFhYWFham1sbnpmam5ldXc2ZmF4NXNqM21ld3ZteGd5djNpbmxzYjRzMmFmd3NqNGwyaTNqcWNiYSIsImV4cCI6MTcxNDUyNzg0OCwiaWF0IjoxNzE0NDg0NjQ4LCJqdGkiOiJiMGQwNTBjMS1lZjhkLTQ4NDktOWI5My02MDFmODdlNWJhZjQiLCJ0ZW5hbnQiOiJvY2lkMS50ZW5hbmN5Lm9jMS4uYWFhYWFhYWE0amZvd2p1Zm5venRndjMzemJ6dGRxejJlcjVmNmFvYXFnM3VrdmQ3d29sYXM3cjU3emFxIiwib3BjLWRncyI6IlYzLG9jaWQxLnRlbmFuY3kub2MxLi5hYWFhYWFhYTRqZm93anVmbm96dGd2MzN6Ynp0ZHF6MmVyNWY2YW9hcWczdWt2ZDd3b2xhczdyNTd6YXEsQUFBQUFRQUFBQUJcL2YzOVwvQUFBQWp3PT0sQUFBQUFBPT0iLCJqd2siOiJ7XCJraWRcIjpcIm9jaWQxLndvcmtsb2FkLm9jMS5pYWQuY3NkdnNrdHZ6aGEubWRhd21kazR5emkxbXR2bW1kZzN6dHF5bjJuaHpkdXluZ2V3bmRjeW16ZXltaml5XCIsXCJuXCI6XCJ0OVk2bm10LW5OSEp4Ui10eU5RV1YtSUZCSGZjN2JlMXFJWWsyOWs5dzFWaFZ1UG9iRzJuQ3drYVpBdlJDZGhDTnV0TGFfYVEzREswZDRoRE5EcTVVWnZxTDhGUzlIVkoxc29ESE9nbnFhajU0T2NGa21NY3E3TWdzb21jbEl1UGxqMFNucWkyajdyVFRYbHdIb3BUVC1kZVFBcHIxWkRTUmJ0M3NSWjVBN2c5RXN2Tk1XOHdCb3dtc0Y3N3Z0QXVaVUZsdXJjODM0OWxnVjBTU0d0UzdwdXY3TW1QU3RBa1BIZmZyTmNkSXZ2UnJ2c0lyQ0xiRFRtX3RNTWY2b1gzYl9iRXlaTlhPQ2p6WTBubzN5N0RDZzRwYTNXQWN6TkdfUThQVWNYRTZBY0ttVVE2WFl0MEhWX0RjU3ZkOTMzS1Uzc29tNnFTZU1FV2JXVk5ueUFudlFcIixcImVcIjpcIkFRQUJcIixcImt0eVwiOlwiUlNBXCIsXCJhbGdcIjpcIlJTMjU2XCIsXCJ1c2VcIjpcInNpZ1wifSJ9.ZJl32XYfx3y3fZjh4MRu0aFgSerDBi6rfkR5Ac0i2_moeNXg1nvk-DjsiaON2xrU_Hl2mWojKkmpyHpDRf92vzpmASYua3cbwMppcWQlALLYaNXwSUBv9c47OHhtiP-8sAxC01CoXs6Fan37-225SKdDNyf1gHlumzuEVnukO0_JoA0Ix0v_eEgoBWr0U-dclXLp8oG6qiqNKFiql5JUc-NioRnuNM25osK1LLvpkut_HHFtl2wiNK0wX41iyhlGYw3nLAW4WZ9Lq6dR1arL3chaxZ7Re9uxoBlx-ALS7N0SDIRkln8zVdLDFUeGqaA8TbI7CQxUaWy1wZ7FpIp3Sw",algorithm="rsa-sha256",signature="BUHoPMFG3VOX2tKN1e+x5TFSgYbkjidmUhOJIYlg65+6XOZgcPk3+8p6nl4GZRsrBBWV11x1HAJ7+uTqEu1nkSR8npuEMuTSa1n/NZKzVbMl2JEpQjSuNPvcVtEIbKlOpwusuf5OVPNijHBmSgNqhExQSgMpQ0gDay3zSeZ7cDbN53Ia9+ll/Z2y0Ty6/DZ0EznTkz71W16hi54G8lnAvHBYl4x/YSaQjBKQHNd27AFDLDaTdFDofu+xQ1KA4cQL3cQmZ8r4NlUed+SzLj/2Zr3ZdtenX9OzqdQsafFoG/miVdWh51fRfsf+LfVmzRU85COPfY/rbj7lfhouNGzxFQ=="
+Content-Type: application/json
+Date: Tue, 30 Apr 2024 13:44:08 GMT
+Opc-Client-Info: Oracle-GoSDK/65.64.0
+Opc-Client-Retries: true
+Opc-Request-Id: 64bed2bc8f0edc662a3dc2bc6d93e312
+X-Content-Sha256: 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
+Accept-Encoding: gzip
+
+INFO 2024/04/30 13:44:08.792358 oci_http_transport_wrapper.go:41: Loading tls config from TLSConfigProvider
diff --git a/main.go b/main.go
@@ -0,0 +1,60 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"log"
+	"os"
+	"time"
+
+	"github.com/oracle/oci-go-sdk/v65/common"
+	"github.com/oracle/oci-go-sdk/v65/common/auth"
+	"github.com/oracle/oci-go-sdk/v65/secrets"
+)
+
+func main() {
+	vaultId := os.Getenv("OCI_VAULT_ID")
+	if vaultId == "" {
+		log.Fatal("env OCI_VAULT_ID must be specified.")
+	}
+	secretName := os.Getenv("OCI_SECRET_NAME")
+	if secretName == "" {
+		log.Fatal("env OCI_SECRET_NAME must be specified.")
+	}
+	log.Printf("Starting secret test...")
+	rp, err := auth.OkeWorkloadIdentityConfigurationProvider()
+	if err != nil {
+		log.Fatalf("Unable to load workload identity config provider: %v", err)
+	}
+	client, err := secrets.NewSecretsClientWithConfigurationProvider(rp)
+	if err != nil {
+		log.Fatalf("Unable to auth to OCI: %v", err)
+	}
+	log.Printf("Fetching secret %s from vault %s", secretName, vaultId)
+	resp, err := client.GetSecretBundleByName(context.Background(), secrets.GetSecretBundleByNameRequest{
+		SecretName: common.String(secretName),
+		VaultId:    common.String(vaultId),
+	})
+	log.Printf("Response received.")
+	if err != nil {
+		log.Fatalf("Failed to get secret: %v", err)
+	}
+	secret, ok := resp.SecretBundleContent.(secrets.Base64SecretBundleContentDetails)
+	if !ok {
+		log.Fatalf("Failed to unpack secret: %v", err)
+	}
+	value, err := base64.StdEncoding.DecodeString(*secret.Content)
+	if err != nil {
+		log.Fatal("failed to decode secret: %w", err)
+	}
+	log.Printf("Got secret %s, the value was: %s", secretName, value)
+	go forever()
+	select {}
+}
+
+func forever() {
+	for {
+		log.Printf("%v+\n", time.Now())
+		time.Sleep(time.Second)
+	}
+}
diff --git a/manifest.yml b/manifest.yml
@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: secret-test
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secret-test
+  namespace: secret-test
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fetch
+  namespace: secret-test
+spec:
+  selector:
+    matchLabels:
+      app: fetch
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: fetch
+    spec:
+      serviceAccountName: secret-test
+      automountServiceAccountToken: true
+      containers:
+      - name: fetch
+        image: tkellen/test:latest
+        imagePullPolicy: Always
+        env:
+          - name: OCI_VAULT_ID
+            value: ocid1.vault.oc1.iad.ejtdbtklaaeac.abuwcljrrnjnyaah7q3yggwlqbecagaqz4dx4x6bhvp5hoxutgwsxp6twkha
+          - name: OCI_SECRET_NAME
+            value: test-secret
+          - name: OCI_RESOURCE_PRINCIPAL_VERSION
+            value: "2.2"
+          - name: OCI_RESOURCE_PRINCIPAL_REGION
+            value: us-ashburn-1
+          - name: OCI_GO_SDK_DEBUG
+            value: verbose
+      nodeSelector:
+        node.kubernetes.io/app: "true"
+      tolerations:
+      - key: node.kubernetes.io/app
+        operator: Equal
+        value: "true"
+        effect: NoSchedule
+