Config file printed out to the standard output

[andsarr]

Hi,

I am testing Glauth in my home lab. I am deploying it in a k3s cluster. I would like to have the configuration file defined in secrets. To accomplish this, I am injecting the configuration from Vault. But the process is printing the whole config file to the standard output!!

I'm not 100% sure, but I think the culprit is:

glauth/v2/glauth.go

Line 350 in 7da3859

fmt.Println(destbuf.String())

Is this behavior something desired? Isn't it better to put it as a trace/debug log statement so it can be disabled?

[Fusion]

This is bizarre. No, this behavior is not desired. Note that the code you are pointing to will only be executed if you are using a very alpha feature, where instead of a single configuration file, you have a set of configuration files in a directory. Is this how you are mounting your secret?

[andsarr]

Hi there,

Sorry for the delay, I had to rebuild the whole cluster (hardware included) and it took a while. So, this is how I am deploying glauth:

# kutomization.yaml
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
 - name: app-template
   repo: https://bjw-s.github.io/helm-charts/
   version: 1.1.3
   releaseName: &releaseName glauth
   namespace: &releaseNamespace authentication
   valuesFile: values.yaml
commonAnnotations:
 meta.helm.sh/release-name: *releaseName
 meta.helm.sh/release-namespace: *releaseNamespace
commonLabels:
 app.kubernetes.io/managed-by: Helm

# vaules.yaml
controller:
  replicas: 1
  strategy: RollingUpdate
image:
  repository: docker.io/glauth/glauth
  tag: v2.2.0-RC1
command: ["/app/glauth", "-c", "/vault/secrets/glauth"]
serviceAccount:
  create: true
service:
  main:
    ports:
      http:
        port: 5555
      ldap:
        enabled: true
        port: 389
serviceMonitor:
  main:
    enabled: false
podSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule
    labelSelector:
      matchLabels:
        app.kubernetes.io/name: glauth
resources:
  requests:
    cpu: 5m
    memory: 10Mi
  limits:
    memory: 50Mi

On top of that, I am applying the Vault annotations:

#  vault-annotations.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: glauth
spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/tls-skip-verify: "true"
        vault.hashicorp.com/role: "glauth"
        vault.hashicorp.com/agent-inject-secret-config: "secret/glauth"
        vault.hashicorp.com/agent-inject-template-config: |
          {{- with secret "secret/glauth" -}}
              {{ .Data.data.server | writeToFile "/vault/secrets/glauth/server.toml" "" "" "0644" }}
              {{ .Data.data.groups | writeToFile "/vault/secrets/glauth/groups.toml" "" "" "0644" }}
              {{ .Data.data.users  | writeToFile "/vault/secrets/glauth/users.toml"  "" "" "0644" }}
          {{- end -}}

Three files are created under the /vault/secrets/ directory:

• server.toml
• groups.toml
• users.toml

Once the pod is running, you can find these logs:

[Fusion]

I see. Yes, an interesting side effect of using what happens to be an alpha quality feature.
I think the proper resolution would be for me to either finalize this feature's implementation, or to kill it.
It look to me like your life would be easier if I did the former, rather than the latter.

[andsarr]

I could also generate just one file. But let me know if you need some hands to finish this feature!