Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decode base64 K8s secrets #508

Merged
merged 2 commits into from
Mar 21, 2023
Merged

Decode base64 K8s secrets #508

merged 2 commits into from
Mar 21, 2023

Conversation

gl-johnson
Copy link
Contributor

@gl-johnson gl-johnson commented Mar 20, 2023

Desired Outcome

Add decoding of base64 secrets based on content-type annotation in the secrets manifest

Implemented Changes

  • Adds helper func createSecretData which decodes secret values based on content-type
  • Adds unit/integration tests
  • Updates dev environment for K8s secrets mode with decoded secret

Manually tested with init container config:

kubectl exec $test_pod --namespace local-secrets-provider -- printenv VARIABLE_WITH_ENCODED_SECRET

Output:

secret-value

Manually tested with sidecar (rotation) config:

kubectl exec $test_pod --namespace local-secrets-provider -- printenv VARIABLE_WITH_ENCODED_SECRET && \
echo "Updating Conjur secret value" && \
kubectl exec $cli_pod --namespace local-conjur -- conjur variable set -i secrets/encoded -v "aGVsbG8gd29ybGQ=" && \
echo "Sleeping for 45s while secrets refresh…" && sleep 45 && \
kubectl exec $test_pod --namespace local-secrets-provider -- printenv VARIABLE_WITH_ENCODED_SECRET

Output:

secret-value
Updating Conjur secret value
Value added
Sleeping for 45s while secrets refresh…
hello world

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: [insert issue ID]
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@gl-johnson gl-johnson force-pushed the decode-base64-k8s-secrets branch 2 times, most recently from 6d604a8 to fa8d908 Compare March 20, 2023 20:28
@gl-johnson gl-johnson force-pushed the decode-base64-k8s-secrets branch from fa8d908 to 4274d14 Compare March 21, 2023 16:27
@gl-johnson gl-johnson marked this pull request as ready for review March 21, 2023 16:28
@gl-johnson gl-johnson requested a review from a team as a code owner March 21, 2023 16:28
@codeclimate
Copy link

codeclimate bot commented Mar 21, 2023

Code Climate has analyzed commit 4274d14 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 89.2% (0.1% change).

View more on Code Climate.

Copy link
Contributor

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@gl-johnson gl-johnson merged commit ed42696 into main Mar 21, 2023
@gl-johnson gl-johnson deleted the decode-base64-k8s-secrets branch March 21, 2023 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants