Hot Reload of Credentials (Still Work in Progress)

Fixes #1139

Author: guettli

.gitignore

@@ -8,3 +8,4 @@ hcloud-cloud-controller-manager
 *.tgz
 hack/.*
 coverage/
+.vscode

hcloud/cloud.go

@@ -19,7 +19,6 @@ package hcloud
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"os"
 	"strings"
 	"time"
@@ -71,13 +70,8 @@ func NewCloud(cidr string) (cloudprovider.Interface, error) {
 	}
 
 	opts := []hcloud.ClientOption{
-		hcloud.WithToken(cfg.HCloudClient.Token),
 		hcloud.WithApplication("hcloud-cloud-controller", providerVersion),
-		hcloud.WithHTTPClient(
-			&http.Client{
-				Timeout: apiClientTimeout,
-			},
-		),
+		hcloud.WithHTTPClient(newHCloudHTTPClient(apiClientTimeout)),
 	}
 
 	// start metrics server if enabled (enabled by default)
@@ -100,9 +94,7 @@ func NewCloud(cidr string) (cloudprovider.Interface, error) {
 		c := hrobot.NewBasicAuthClientWithCustomHttpClient(
 			cfg.Robot.User,
 			cfg.Robot.Password,
-			&http.Client{
-				Timeout: apiClientTimeout,
-			},
+			newRobotHTTPClient(apiClientTimeout),
 		)
 
 		robotClient = robot.NewRateLimitedClient(

hcloud/runtime_credentials.go

@@ -0,0 +1,87 @@
+package hcloud
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"golang.org/x/net/http/httpguts"
+
+	"github.com/hetznercloud/hcloud-cloud-controller-manager/internal/config"
+)
+
+const invalidAuthorizationTokenError = "authorization token contains invalid characters"
+
+type roundTripperFunc func(*http.Request) (*http.Response, error)
+
+func (f roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return f(req)
+}
+
+func newHCloudHTTPClient(timeout time.Duration) *http.Client {
+	return &http.Client{
+		Timeout:   timeout,
+		Transport: newHCloudCredentialReloader(nil),
+	}
+}
+
+func newRobotHTTPClient(timeout time.Duration) *http.Client {
+	return &http.Client{
+		Timeout:   timeout,
+		Transport: newRobotCredentialReloader(nil),
+	}
+}
+
+func newHCloudCredentialReloader(next http.RoundTripper) http.RoundTripper {
+	next = transportOrDefault(next)
+
+	return roundTripperFunc(func(req *http.Request) (*http.Response, error) {
+		token, err := config.LookupHCloudToken()
+		if err != nil {
+			return nil, err
+		}
+		if token != "" && !httpguts.ValidHeaderFieldValue(token) {
+			return nil, fmt.Errorf(invalidAuthorizationTokenError)
+		}
+
+		cloned := cloneRequest(req)
+		if token == "" {
+			cloned.Header.Del("Authorization")
+		} else {
+			cloned.Header.Set("Authorization", "Bearer "+token)
+		}
+		return next.RoundTrip(cloned)
+	})
+}
+
+func newRobotCredentialReloader(next http.RoundTripper) http.RoundTripper {
+	next = transportOrDefault(next)
+
+	return roundTripperFunc(func(req *http.Request) (*http.Response, error) {
+		user, password, err := config.LookupRobotCredentials()
+		if err != nil {
+			return nil, err
+		}
+
+		cloned := cloneRequest(req)
+		if user == "" && password == "" {
+			cloned.Header.Del("Authorization")
+		} else {
+			cloned.SetBasicAuth(user, password)
+		}
+		return next.RoundTrip(cloned)
+	})
+}
+
+func cloneRequest(req *http.Request) *http.Request {
+	cloned := req.Clone(req.Context())
+	cloned.Header = req.Header.Clone()
+	return cloned
+}
+
+func transportOrDefault(next http.RoundTripper) http.RoundTripper {
+	if next != nil {
+		return next
+	}
+	return http.DefaultTransport
+}

hcloud/runtime_credentials_test.go

@@ -0,0 +1,117 @@
+package hcloud
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	hrobot "github.com/syself/hrobot-go"
+
+	"github.com/hetznercloud/hcloud-cloud-controller-manager/internal/testsupport"
+	"github.com/hetznercloud/hcloud-go/v2/hcloud"
+	"github.com/hetznercloud/hcloud-go/v2/hcloud/schema"
+)
+
+func TestHCloudClientReloadsTokenFromFile(t *testing.T) {
+	defer unsetEnv(t, "HCLOUD_TOKEN")()
+
+	var authorizations []string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authorizations = append(authorizations, r.Header.Get("Authorization"))
+		assert.NoError(t, json.NewEncoder(w).Encode(schema.LocationListResponse{Locations: []schema.Location{}}))
+	}))
+	defer server.Close()
+
+	tokenFile := filepath.Join(t.TempDir(), "hcloud-token")
+	assert.NoError(t, os.WriteFile(tokenFile, []byte("token-1"), 0o600))
+
+	resetEnv := testsupport.Setenv(t, "HCLOUD_TOKEN_FILE", tokenFile)
+	defer resetEnv()
+
+	client := hcloud.NewClient(
+		hcloud.WithEndpoint(server.URL),
+		hcloud.WithHTTPClient(newHCloudHTTPClient(0)),
+		hcloud.WithPollOpts(hcloud.PollOpts{BackoffFunc: hcloud.ConstantBackoff(0)}),
+		hcloud.WithRetryOpts(hcloud.RetryOpts{BackoffFunc: hcloud.ConstantBackoff(0)}),
+	)
+
+	_, _, err := client.Location.List(t.Context(), hcloud.LocationListOpts{})
+	assert.NoError(t, err)
+
+	assert.NoError(t, os.WriteFile(tokenFile, []byte("token-2"), 0o600))
+
+	_, _, err = client.Location.List(t.Context(), hcloud.LocationListOpts{})
+	assert.NoError(t, err)
+
+	assert.Equal(t, []string{"Bearer token-1", "Bearer token-2"}, authorizations)
+}
+
+func TestRobotClientReloadsCredentialsFromFile(t *testing.T) {
+	defer unsetEnv(t, "ROBOT_USER")()
+	defer unsetEnv(t, "ROBOT_PASSWORD")()
+
+	var users []string
+	var passwords []string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		user, password, ok := r.BasicAuth()
+		assert.True(t, ok)
+		users = append(users, user)
+		passwords = append(passwords, password)
+		assert.NoError(t, json.NewEncoder(w).Encode([]map[string]any{
+			{
+				"server": map[string]any{
+					"server_number": 1,
+					"server_name":   "node-1",
+					"server_ip":     "192.0.2.1",
+				},
+			},
+		}))
+	}))
+	defer server.Close()
+
+	dir := t.TempDir()
+	userFile := filepath.Join(dir, "robot-user")
+	passwordFile := filepath.Join(dir, "robot-password")
+	assert.NoError(t, os.WriteFile(userFile, []byte("robot-user-1"), 0o600))
+	assert.NoError(t, os.WriteFile(passwordFile, []byte("robot-password-1"), 0o600))
+
+	resetEnv := testsupport.Setenv(t,
+		"ROBOT_USER_FILE", userFile,
+		"ROBOT_PASSWORD_FILE", passwordFile,
+	)
+	defer resetEnv()
+
+	client := hrobot.NewBasicAuthClientWithCustomHttpClient("stale-user", "stale-password", newRobotHTTPClient(0))
+	client.SetBaseURL(server.URL)
+
+	_, err := client.ServerGetList()
+	assert.NoError(t, err)
+
+	assert.NoError(t, os.WriteFile(userFile, []byte("robot-user-2"), 0o600))
+	assert.NoError(t, os.WriteFile(passwordFile, []byte("robot-password-2"), 0o600))
+
+	_, err = client.ServerGetList()
+	assert.NoError(t, err)
+
+	assert.Equal(t, []string{"robot-user-1", "robot-user-2"}, users)
+	assert.Equal(t, []string{"robot-password-1", "robot-password-2"}, passwords)
+}
+
+func unsetEnv(t *testing.T, key string) func() {
+	t.Helper()
+
+	value, ok := os.LookupEnv(key)
+	assert.NoError(t, os.Unsetenv(key))
+
+	return func() {
+		if !ok {
+			assert.NoError(t, os.Unsetenv(key))
+			return
+		}
+		assert.NoError(t, os.Setenv(key, value))
+	}
+}

internal/config/runtime_credentials.go

@@ -0,0 +1,27 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/hetznercloud/hcloud-go/v2/hcloud/exp/kit/envutil"
+)
+
+// LookupHCloudToken reads the current HCLOUD_TOKEN / HCLOUD_TOKEN_FILE value.
+func LookupHCloudToken() (string, error) {
+	return envutil.LookupEnvWithFile(hcloudToken)
+}
+
+// LookupRobotCredentials reads the current ROBOT_USER / ROBOT_USER_FILE and
+// ROBOT_PASSWORD / ROBOT_PASSWORD_FILE values.
+func LookupRobotCredentials() (string, string, error) {
+	user, userErr := envutil.LookupEnvWithFile(robotUser)
+	password, passwordErr := envutil.LookupEnvWithFile(robotPassword)
+	if userErr != nil || passwordErr != nil {
+		return "", "", errors.Join(userErr, passwordErr)
+	}
+	if (user == "") != (password == "") {
+		return "", "", fmt.Errorf("both %q and %q must be provided, or neither", robotUser, robotPassword)
+	}
+	return user, password, nil
+}