Followup: Adding Hashicorp Vault KMS

[ldue]

Required improvements for PR 507.

[ldue]

I‘ll try to add some more tests, but please feel free to inspire me for that 🙂

[codecov-io]

Codecov Report

Merging #623 into develop will decrease coverage by 0.81%.
The diff coverage is 19.85%.

@@             Coverage Diff             @@
##           develop     #623      +/-   ##
===========================================
- Coverage    37.15%   36.34%   -0.82%     
===========================================
  Files           21       22       +1     
  Lines         2893     3189     +296     
===========================================
+ Hits          1075     1159      +84     
- Misses        1724     1914     +190     
- Partials        94      116      +22

Impacted Files	Coverage Δ
stores/stores.go	0% <0%> (ø)	⬆️
keyservice/server.go	5.26% <0%> (-1.03%)	⬇️
keyservice/keyservice.go	0% <0%> (ø)	⬆️
keyservice/keyservice.pb.go	4.12% <1.61%> (-0.17%)	⬇️
hcvault/keysource.go	48.12% <48.12%> (ø)
config/config.go	71.63% <62.5%> (-0.02%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f7e880b...adf1b23. Read the comment docs.

[ldue]

I noticed during testing that the Readme maybe should contain some more notes what to do for the functional testing (e.g. enable the vault kv store). @gitirabassi has done this nicely for this PR, but maybe we should do this reworks in a separate PR and maybe also decide with that one, if the dependency for vault while unit testing should be kept.

[ajvb]

@ldue I completely agree on the lack of docs for functional tests. If you're willing to create an issue with any notes on what specifically was hard to find I'd be happy to work on it.

[autrilla]

Looks great, thanks a lot!

[ldue]

@ajvb yeah sure, I think I will get to this in the next week.
@autrilla thanks for the review! So then it's ready to merge?

[autrilla]

Ideally I’d want @ajvb to give it a look as well before merging. I’d also really appreciate the notes on what kind of tests and docs you find lacking!

[mmorev]

@ldue why do you use URI string for single key configuration in .sops.yaml?

I think it would be more clear and definite to use separate parameters in sops.yml, just like these you offer in key_groups.hc_vault.

However, single-string URI is still very convenient for command line options like --add-hc-vault.

Also I would suggest rename hc-vault to vault-transit, because it is common name for this key management service type.

Overall, great job! I was really looking forward for this feature.

[mmorev]

this way we can use both methods

Suggested change

	Vault string `yaml:"hc_vault_uris"`
	VaultUri string `yaml:"hc_vault_uris"`
	Vault []vaultKey `yaml:"hc_vault"`

[autrilla]

As mentioned elsewhere, I think we should keep the URI, but actually, please include Hashicorp and Transit in the name somehow. HcVaultTransit, for example. I'm open to alternatives, but let's keep it consistent everywhere.

[ldue]

I've adapted you suggestions thanks! I also changed the plural hc_vault_uris to singular hc_vault_uri

[autrilla]

I think it would be more clear and definite to use separate parameters in sops.yml, just like these you offer in key_groups.hc_vault.

However, single-string URI is still very convenient for command line options like --add-hc-vault.

I kind of disagree here, I think consistency is best and this is pretty similar to what we do for AWS: we take an ARN. We do the same for GCP, and probably Azure (but I haven't checked). The URI is a "standard" way to refer to things in Vault, no?

Also I would suggest rename hc-vault to vault-transit, because it is common name for this key management service type.

I completely agree with this. Probably even hc-vault-transit. Maybe we'll need different backends that are also provided by Hashicorp Vault in the future, and the concern about a different product also named Vault (by another company) still applies.

Thanks for giving this a look too @mmorev!

[mmorev]

I kind of disagree .here, I think consistency is best and this is pretty similar to what we do for AWS: we take an ARN.

ARN is much more definite because it uses colons as field separator, so if any required field is missing or incorrect, we can easily find out, which exactly. Even we can safely skip unnecessary field.
URIs are much more ambiguous. Vault can be behind reverse proxy and/or WAF, or path to secret store can contain slashes (can not as of now, but other stores can) - voila, URI is not consistent.
Also mentioned /v1/store_path/keys/key_name is not exact URI path used when calling Vault API. It can be v1/store_path/encrypt/key_name for encrypting data, for example.

So I had suggested to implement both methods - URI and separate fields.

Also @ldue please rename backend_path to secret_path or something else in code and parameters, because backend in Vault terms is actually the storage for all configured vault secrets,.

Probably even hc-vault-transit.

hc- prefix wasn't used when Vault publish was implemented, why should here?

[ldue]

Thanks for your great feedback! Sorry it took me so long to get back to it.

@autrilla i also aggree with @mmorev it makes sense to implement both ways, uri based and "object" based config. I do not see to much disadvantage.

@mmorev I renamed BackendPath to EnginePath as I find secrets somehow ambiguous and as the vault term is "secrets engine" i think it fits.

I think the hc- prefix came exactly from some confusion around AzureKeyVault, the general concept of a vault for keys and (hashicorp) Vault, when implementing the publish feature.
I think it should be refactored for the publish feature, but not with this PR.
You can check the original PR 507 for that.

[autrilla]

ARN is much more definite because it uses colons as field separator, so if any required field is missing or incorrect, we can easily find out, which exactly. Even we can safely skip unnecessary field.
URIs are much more ambiguous. Vault can be behind reverse proxy and/or WAF, or path to secret store can contain slashes (can not as of now, but other stores can) - voila, URI is not consistent.
Also mentioned /v1/store_path/keys/key_name is not exact URI path used when calling Vault API. It can be v1/store_path/encrypt/key_name for encrypting data, for example.

It is in no way different than an ARN. It's a URI, but not any URI. It must match a very specific format. Just like an ARN.

The issue with reverse proxies is irrelevant here. The URI is just a way to specify the resource. It does not imply we're going to make HTTP requests to that URI directly. In fact, we're parsing it and passing it off to the Vault library.

An argument against this that I would accept is that this "URI" is not really an exclusive identifier Vault uses for the resource. It's just the way to access it through the HTTP API, but there might be other ways to access it in the future. So maybe it does make sense to take explicitly structured data instead of this URI.

So I had suggested to implement both methods - URI and separate fields.

This is absolutely what I do not want. I do not want two ways of doing the same thing. It makes the code more complicated and a pain to maintain. I don't care super strongly about what is done regarding URI vs more structured data in the config file, but let's do only one thing. The added value is tiny and the maintenance cost adds up very quickly.

hc- prefix wasn't used when Vault publish was implemented, why should here?

I think it's the right thing to do regardless of what we've done in the past. Clearly we've made some mistakes with naming. AWS KMS being named just "kms" is probably the biggest one.

[ldue]

An argument against this that I would accept is that this "URI" is not really an exclusive identifier Vault uses for the resource. It's just the way to access it through the HTTP API, but there might be other ways to access it in the future. So maybe it does make sense to take explicitly structured data instead of this URI.

I think in that case URI would be more consistent to the other providers.

The added value is tiny and the maintenance cost adds up very quickly.

I get that, I do not have any experience with maintaining code for that kind of config.

So I'll remove the structured config and leave VaultURI in and then we can bring this to an end? 😄

[vnzongzna]

Suggested change

	Name: "hc-vault--transit",
	Name: "hc-vault-transit",

[autrilla]

I think in that case URI would be more consistent to the other providers.
I get that, I do not have any experience with maintaining code for that kind of config.
So I'll remove the structured config and leave VaultURI in and then we can bring this to an end? 😄

Sounds good to me!

[mmorev]

@autrilla IMO what really makes code more complicated and harder to read/maintain is a function with two unobvious regular expressions which is needed to parse an URI in unobvious way and then, anyway, store result as three different values in sops metadata.
Maybe, my suggestion doesnt add value, but it does add logic and readability to source code and to users configuration files.

Anyway, it's just a suggestion, you are maintainer, you are decision maker.

[autrilla]

We wouldn't store the three values in SOPS metadata, we'd store just the URI.

Like I said, I'd be open to storing only the three values and not dealing with URIs at all. What I don't want is both things. Asking for three different values from the command line might be a bit annoying and clutter our flags, though.

[mmorev]

Oh, got it. @ldue What do you think about removing URI and regex parsing function and leaving just separate parameter set?

[vnzongzna]

Suggested change

	hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("vault"))
	hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("hc-vault-transit"))

[vnzongzna]

Suggested change

	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("vault") == "" {
	if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" {

[binlab]

Great work, thanks a lot!

[jvehent]

@ajvb @autrilla can this be merged?

[autrilla]

There's still some review comments that should be addressed, mainly only allowing one of specifying the Vault URI or specifying each value (hostname, key, etc) individually.

[jvehent]

per @autrilla

There's still some review comments that should be addressed, mainly only allowing one of specifying the Vault URI or specifying each value (hostname, key, etc) individually.

need to address review comments

[vnzongzna]

Would it be acceptable to make a new PR since we need vault feature in SOPS and this PR has been inactive for more than 2 months now.
The new PR would be third iteration for the same feature but I'll be working on it continuously.
cc @ldue @jvehent @autrilla @mmorev

[autrilla]

Would it be acceptable to make a new PR since we need vault feature in SOPS and this PR has been inactive for more than 2 months now.
The new PR would be third iteration for the same feature but I'll be working on it continuously.
cc @ldue @jvehent @autrilla @mmorev

Yes, that is acceptable as long as you keep authorship of the original commits. I think this PR itself started that way as well...

[mykter]

This can be closed now that #655 has been merged