Fixes Hashivault configuration with Chains

Initially when kms was misconfigured, then the chains controller pod was getting panic and ended up getting crashed Hence, this patch checks it the vault address is valid and if it is not valid, then returns the error which handles the pod from getting panic and crashed Signed-off-by: PuneetPunamiya <[email protected]>
tektoncd · Sep 23, 2023 · b3587b5 · b3587b5
1 parent 52b918e
commit b3587b5
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 2 deletions.
diff --git a/pkg/chains/signing/kms/kms.go b/pkg/chains/signing/kms/kms.go
@@ -17,8 +17,9 @@ package kms
 import (
 	"context"
 	"crypto"
-
-	"github.com/tektoncd/chains/pkg/config"
+	"net"
+	"strings"
+	"time"
 
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/kms"
@@ -27,6 +28,7 @@ import (
 	_ "github.com/sigstore/sigstore/pkg/signature/kms/gcp"
 	_ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault"
 	"github.com/sigstore/sigstore/pkg/signature/options"
+	"github.com/tektoncd/chains/pkg/config"
 
 	"github.com/spiffe/go-spiffe/v2/svid/jwtsvid"
 	"github.com/spiffe/go-spiffe/v2/workloadapi"
@@ -41,6 +43,19 @@ type Signer struct {
 // NewSigner returns a configured Signer
 func NewSigner(ctx context.Context, cfg config.KMSSigner) (*Signer, error) {
 	kmsOpts := []signature.RPCOption{}
+
+	// Checks if the vault address provide by the user is a valid address or not
+	if cfg.Auth.Address != "" {
+		vaultAddress := strings.TrimPrefix(cfg.Auth.Address, "http://")
+		vaultAddress = strings.TrimPrefix(vaultAddress, "https://")
+
+		conn, err := net.DialTimeout("tcp", vaultAddress, 5*time.Second)
+		if err != nil {
+			return nil, err
+		}
+		defer conn.Close()
+	}
+
 	// pass through configuration options to RPCAuth used by KMS in sigstore
 	rpcAuth := options.RPCAuth{
 		Address: cfg.Auth.Address,

diff --git a/pkg/chains/signing/kms/kms_test.go b/pkg/chains/signing/kms/kms_test.go
@@ -0,0 +1,45 @@
+/*
+Copyright 2023 The Tekton Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package kms creates a signer using a key management server
+
+package kms
+
+import (
+	"context"
+	"testing"
+
+	"github.com/tektoncd/chains/pkg/config"
+)
+
+func TestInValidVaultAddressTimeOut(t *testing.T) {
+	cfg := config.KMSSigner{}
+	cfg.Auth.Address = "http://test.com:8200"
+
+	_, err := NewSigner(context.TODO(), cfg)
+	expectedErrorMessage := "dial tcp 67.225.146.248:8200: i/o timeout"
+	if err.Error() != expectedErrorMessage {
+		t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error())
+	}
+}
+
+func TestInValidVaultAddressConnectionRefuse(t *testing.T) {
+	cfg := config.KMSSigner{}
+	cfg.Auth.Address = "http://127.0.0.1:8200"
+
+	_, err := NewSigner(context.TODO(), cfg)
+	expectedErrorMessage := "dial tcp 127.0.0.1:8200: connect: connection refused"
+	if err.Error() != expectedErrorMessage {
+		t.Errorf("Expected error message '%s', but got '%s'", expectedErrorMessage, err.Error())
+	}
+}