Merge pull request #110 from Conjur-Enterprise/CNJR-12572

CNJR-12572: V2 Batch Retrieval in Secrets Provider

Author: gl-johnson

CHANGELOG.md

@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Support for onboarding labeled Kubernetes secrets. (CNJR-12567)
 - Remove stale secrets for labeled Kubernetes secrets. (CNJR-12714)
 - Remove all Conjur managed secrets if conjur-map is missing or empty. (CNJR-12857)
+- V2 batch retrieval as the default method to fetch secrets with automatic fallback to V1 for backwards compatibility. (CNJR-12572)
 
 ### Fixed
 - Fix deadlock when using sidecar without refresh. (CNJR-12825)

go.mod

@@ -70,7 +70,7 @@ require (
 
 require (
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/cyberark/conjur-api-go v0.13.13 // version will be ignored by auto release process
+	github.com/cyberark/conjur-api-go v0.13.16 // version will be ignored by auto release process
 	github.com/cyberark/conjur-authn-k8s-client v0.26.10 // version will be ignored by auto release process
 	github.com/cyberark/conjur-opentelemetry-tracer v1.55.55 // version will be ignored by auto release process
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect

pkg/log/messages/debug_messages.go

@@ -15,3 +15,4 @@ const CSPFK013D string = "CSPFK013D Kubernetes Secret '%s' has no '%s' annotatio
 const CSPFK014D string = "CSPFK014D Found %d secret group templates for Kubernetes secret %s"
 const CSPFK015D string = "CSPFK015D No secrets to update"
 const CSPFK016D string = "CSPFK016D No change in Kubernetes secret '%s'"
+const CSPFK017D string = "CSPFK017D Using V1 batch retrieval"

pkg/log/messages/error_messages.go

@@ -93,6 +93,9 @@ const CSPFK065E string = "CSPFK065E Secret group %s: the content-type of %s is i
 
 // Fetch All
 const CSPFK066E string = "CSPFK066E Stopped fetching additional secrets after %d secrets were fetched"
+const CSPFK090E string = "CSPFK090E V2 batch retrieval not available, falling back to V1: %s"
+const CSPFK091E string = "CSPFK091E Some secrets failed to retrieve in V2 batch request: %s"
+const CSPFK092E string = "CSPFK092E No secrets were successfully retrieved"
 const CSPFK068E string = "CSPFK068E Retrieved secrets did not include secret '%s' requested by secret group '%s'"
 
 // URL Parsing

pkg/log/messages/info_messages.go

@@ -42,3 +42,4 @@ const CSPFK032I string = "CSPFK032I Detected removed keys from conjur-map in sec
 const CSPFK033I string = "CSPFK033I Removing key '%s' from Kubernetes secret '%s' as it was removed from conjur-map"
 const CSPFK034I string = "CSPFK034I Allow secret '%s' without conjur-map, continue..."
 const CSPFK035I string = "CSPFK035I Exceeded max debounce delay, providing secrets (eventCount: %d)"
+const CSPFK036I string = "CSPFK036I V2 batch retrieval succeeded: retrieved %d secrets"

pkg/secrets/clients/conjur/conjur_client.go

@@ -32,5 +32,11 @@ func NewConjurClient(tokenData []byte) (ConjurClient, error) {
 		return nil, log.RecordedError(messages.CSPFK032E, err.Error())
 	}
 
-	return client, nil
+	// Wrap the client to provide API V2 with V1 fallback
+	wrapper := &conjurClientWrapper{
+		client: client,
+		useV2:  true,
+	}
+
+	return wrapper, nil
 }

pkg/secrets/clients/conjur/conjur_client_wrapper.go

@@ -0,0 +1,137 @@
+package conjur
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/cyberark/conjur-api-go/conjurapi"
+	"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
+
+	"github.com/cyberark/secrets-provider-for-k8s/pkg/log/messages"
+)
+
+// conjurClientWrapper wraps the conjur-api-go Client to provide
+// V2 batch retrieval with fallback to V1 for backwards compatibility
+type conjurClientWrapper struct {
+	client *conjurapi.Client
+	useV2  bool
+}
+
+// RetrieveBatchSecretsSafe attempts to use V2 batch retrieval API first,
+// falling back to V1 if V2 is not available
+func (w *conjurClientWrapper) RetrieveBatchSecretsSafe(variableIDs []string) (map[string][]byte, error) {
+	if w.useV2 {
+		secrets, err := w.retrieveBatchSecretsV2(variableIDs)
+		if err != nil {
+			if isV2NotAvailableError(err) {
+				log.Warn(messages.CSPFK090E, err.Error())
+				w.useV2 = false
+			} else {
+				return nil, err
+			}
+		} else {
+			return secrets, nil
+		}
+	}
+
+	log.Debug(messages.CSPFK017D, "Using V1 batch retrieval")
+	return w.client.RetrieveBatchSecretsSafe(variableIDs)
+}
+
+// retrieveBatchSecretsV2 uses the V2 batch retrieval API
+func (w *conjurClientWrapper) retrieveBatchSecretsV2(variableIDs []string) (map[string][]byte, error) {
+	v2Client := w.client.V2()
+	if v2Client == nil {
+		return nil, fmt.Errorf("V2 client not available")
+	}
+
+	// V2 API expects variable paths without the account:variable: prefix
+	// Normalize IDs: "account:variable:path/to/secret" -> "path/to/secret"
+	normalizedIDs := make([]string, len(variableIDs))
+	originalIDMap := make(map[string]string) // maps normalized ID -> original ID
+
+	for i, id := range variableIDs {
+		normalizedID := normalizeVariableIdForV2(id)
+		normalizedIDs[i] = normalizedID
+		originalIDMap[normalizedID] = id
+	}
+
+	batchResp, err := v2Client.BatchRetrieveSecrets(normalizedIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	secrets := make(map[string][]byte)
+	var failedSecrets []string
+
+	for _, secret := range batchResp.Secrets {
+		if secret.Status == http.StatusOK {
+			// Success - map back to original ID format
+			originalID := originalIDMap[secret.ID]
+			if originalID == "" {
+				originalID = secret.ID
+			}
+			secrets[originalID] = []byte(secret.Value)
+		} else {
+			// Failed - track for error reporting (use original ID if available)
+			originalID := originalIDMap[secret.ID]
+			if originalID == "" {
+				originalID = secret.ID
+			}
+			failedSecrets = append(failedSecrets, fmt.Sprintf("%s (status: %d)", originalID, secret.Status))
+		}
+	}
+
+	if len(failedSecrets) > 0 {
+		log.Warn(messages.CSPFK091E, strings.Join(failedSecrets, ", "))
+	}
+
+	if len(secrets) == 0 {
+		return nil, fmt.Errorf(messages.CSPFK092E)
+	}
+
+	log.Info(messages.CSPFK036I, len(secrets))
+	return secrets, nil
+}
+
+func (w *conjurClientWrapper) Resources(filter *conjurapi.ResourceFilter) ([]map[string]interface{}, error) {
+	return w.client.Resources(filter)
+}
+
+func (w *conjurClientWrapper) Cleanup() {
+	w.client.Cleanup()
+}
+
+// isV2NotAvailableError checks if the error indicates V2 API is not available
+func isV2NotAvailableError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	errMsg := err.Error()
+	indicators := []string{
+		"not supported in",
+		"404",
+	}
+
+	for _, indicator := range indicators {
+		if strings.Contains(errMsg, indicator) {
+			return true
+		}
+	}
+	return false
+}
+
+// normalizeVariableIdForV2 converts a variable ID to the format expected by V2 API
+// The V2 API expects just the variable path (e.g., "secrets/test_secret")
+// not the full identifier format (e.g., "my-account:variable:secrets/test_secret")
+func normalizeVariableIdForV2(fullVariableId string) string {
+	variableIdParts := strings.SplitN(fullVariableId, ":", 3)
+	if len(variableIdParts) == 3 {
+		// Format is "account:variable:path" -> return just "path"
+		return variableIdParts[2]
+	}
+	// Already in correct format or unknown format, return as-is
+	return fullVariableId
+}

pkg/secrets/clients/conjur/conjur_client_wrapper_test.go

@@ -0,0 +1,100 @@
+package conjur
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsV2NotAvailableError(t *testing.T) {
+	testCases := []struct {
+		name     string
+		err      error
+		expected bool
+	}{
+		{
+			name:     "nil error",
+			err:      nil,
+			expected: false,
+		},
+		{
+			name:     "version too old error",
+			err:      fmt.Errorf("not supported in Conjur versions older than 1.24.0"),
+			expected: true,
+		},
+		{
+			name:     "404 not found",
+			err:      fmt.Errorf("404 endpoint not found"),
+			expected: true,
+		},
+		{
+			name:     "error with 'not supported in' phrase",
+			err:      fmt.Errorf("Batch Retrieve Secrets API is not supported in this version"),
+			expected: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := isV2NotAvailableError(tc.err)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
+
+func TestNormalizeVariableIdForV2(t *testing.T) {
+	testCases := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "full identifier with account and variable prefix",
+			input:    "my-account:variable:secrets/password",
+			expected: "secrets/password",
+		},
+		{
+			name:     "full identifier with nested path",
+			input:    "my-account:variable:app/db/credentials/password",
+			expected: "app/db/credentials/password",
+		},
+		{
+			name:     "already normalized path",
+			input:    "secrets/test_secret",
+			expected: "secrets/test_secret",
+		},
+		{
+			name:     "simple variable name",
+			input:    "password",
+			expected: "password",
+		},
+		{
+			name:     "variable with spaces",
+			input:    "my-account:variable:secrets/var with spaces",
+			expected: "secrets/var with spaces",
+		},
+		{
+			name:     "variable with special characters",
+			input:    "my-account:variable:secrets/var+with+pluses",
+			expected: "secrets/var+with+pluses",
+		},
+		{
+			name:     "variable with colon in path",
+			input:    "my-account:variable:secrets/key:value",
+			expected: "secrets/key:value",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := normalizeVariableIdForV2(tc.input)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}