Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support _json_key when mutating docker credentials #91

Merged
merged 1 commit into from
Jun 25, 2024
Merged

feat: support _json_key when mutating docker credentials #91

merged 1 commit into from
Jun 25, 2024

Conversation

csatib02
Copy link
Member

Overview

  • Made the Auth field of type interface{}, because this way when a _json_key is received under the auth key of a .dockerconfigjson it can be handled.
  • I left the username, password splitting case as it was, and added a check for _json_key and another check, if a vault path is received upfront at the auth key.

Fixes: bank-vaults/vault-secrets-webhook#81

Notes for reviewers

  • I tested the new functionality with these 3 dockerconfigjson secrets. The passing e2e tests prove that the already implemented username, password authentication option is still working.
# test.yaml
# For this to work, run: vault kv put secret/test/mysql MYSQL_PASSWORD=3xtr3ms3cr3t
# Decoded structure of data:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": "vault:secret/data/test/mysql#MYSQL_PASSWORD"
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: broken-thing
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6ImRtRjFiSFE2YzJWamNtVjBMMlJoZEdFdmRHVnpkQzl0ZVhOeGJDTk5XVk5SVEY5UVFWTlRWMDlTUkE9PSJ9fX0=

After mutation:

image 
# test2.yaml
# Decoded structure of data:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": {
#         "type": "service_account",
#         "project_id": "fake-project"
#       }
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: docker-secret
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6eyJ0eXBlIjoic2VydmljZV9hY2NvdW50IiwicHJvamVjdF9pZCI6ImZha2UtcHJvamVjdCJ9fX19

After mutation:

image 
# test3.yaml
# For this to work, run: vault kv put secret/test/aws AWS_SECRET_ACCESS_KEY=s3cr3t
# Decoded structure:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": "vault:secret/data/test/aws#AWS_SECRET_ACCESS_KEY"
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: aws-key-secret
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6ImRtRjFiSFE2YzJWamNtVjBMMlJoZEdFdmRHVnpkQzloZDNNalFWZFRYMU5GUTFKRlZGOUJRME5GVTFOZlMwVloifX19

After mutation:

image

e2e-secret after mutation:

image

@csatib02 csatib02 added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 11, 2024
@csatib02 csatib02 self-assigned this Jun 11, 2024
@csatib02 csatib02 requested a review from a team as a code owner June 11, 2024 13:27
@github-actions github-actions bot added the size/M Denotes a PR that changes 100-499 lines label Jun 11, 2024
@csatib02 csatib02 removed the request for review from a team June 11, 2024 13:27
@csatib02 csatib02 merged commit 4850584 into main Jun 25, 2024
26 checks passed
@csatib02 csatib02 deleted the feat/support-_json_key-when-mutating-docker-credentials branch June 25, 2024 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramizpolic ramizpolic ramizpolic approved these changes

@sagikazarmark sagikazarmark Awaiting requested review from sagikazarmark

@akijakya akijakya Awaiting requested review from akijakya

Assignees

@csatib02 csatib02

Labels
kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 100-499 lines
Projects
None yet
Milestone
No milestone
2 participants
@csatib02 @ramizpolic