Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support content-type annotation for K8s secrets #506

Merged
merged 1 commit into from
Mar 20, 2023
Merged

Support content-type annotation for K8s secrets #506

merged 1 commit into from
Mar 20, 2023

Conversation

gl-johnson
Copy link
Contributor

@gl-johnson gl-johnson commented Mar 14, 2023
edited
Loading

Desired Outcome

Add support to K8s secrets mode for setting secret content-types via annotations in the secrets manifest. It should support the following:

  • text (default)
  • base64

The conjur-map annotation for secrets will now support the format:

conjur-map: |-
  <alias_value>: <var_id_value>               # already supported
  <alias_value>:                              # to be added
    id: <var_id_value>
    content-type: <content_type_value>

Where id is required to have a non-empty value, and content-type is an optional key which defaults to text unless explicitly set to base64

Implemented Changes

  • Parse new YAML annotations into existing updateDestination struct in K8sProvider
  • Add tests to check for the expected content-type of secrets via relevant log/error messages

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: [insert issue ID]
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@gl-johnson gl-johnson force-pushed the base64-annotations-k8s-secrets branch 2 times, most recently from 0efcba0 to b0ad7f9 Compare March 14, 2023 20:55
@gl-johnson gl-johnson marked this pull request as ready for review March 16, 2023 16:25
@gl-johnson gl-johnson requested a review from a team as a code owner March 16, 2023 16:25
szh
szh reviewed Mar 16, 2023
View reviewed changes
pkg/secrets/k8s_secrets_storage/provide_conjur_secrets_test.go
},
requiredSecrets: []string{"k8s-secret1", "k8s-secret2"},
asserts: []assertFunc{
// TODO - uncomment when decoding is implemented
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the actual decoding going to be in a separate PR

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I planned on tackling it in a followup task, yes. The decoding implementation should be a minor code change but that PR will also include error handling, additional tests, dev environment/manifest updates, etc. so I thought it would be more manageable as a separate task.

This assertion was copied over from the POC since it'll be helpful for that PR.

szh
szh reviewed Mar 20, 2023
View reviewed changes
Copy link
Contributor

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a rebase, otherwise looks good

@gl-johnson gl-johnson force-pushed the base64-annotations-k8s-secrets branch from b0ad7f9 to 062433f Compare March 20, 2023 14:01
@codeclimate
Copy link

codeclimate bot commented Mar 20, 2023

Code Climate has analyzed commit 062433f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 92.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 89.1% (0.0% change).

View more on Code Climate.

szh
szh approved these changes Mar 20, 2023
View reviewed changes
Copy link
Contributor

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@gl-johnson gl-johnson merged commit b44c3c8 into main Mar 20, 2023
@gl-johnson gl-johnson deleted the base64-annotations-k8s-secrets branch March 20, 2023 15:03
@john-odonnell john-odonnell mentioned this pull request Apr 21, 2023
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szh szh szh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gl-johnson @szh