-
Notifications
You must be signed in to change notification settings - Fork 860
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Followup: Adding Hashicorp Vault KMS #623
Conversation
initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load
fix(doc): fix rst formatting" fix(doc): fix rst formatting
feat(cli): moved vault to hc-vault naming
I‘ll try to add some more tests, but please feel free to inspire me for that 🙂 |
Codecov Report
@@ Coverage Diff @@
## develop #623 +/- ##
===========================================
- Coverage 37.15% 36.34% -0.82%
===========================================
Files 21 22 +1
Lines 2893 3189 +296
===========================================
+ Hits 1075 1159 +84
- Misses 1724 1914 +190
- Partials 94 116 +22
Continue to review full report at Codecov.
|
I noticed during testing that the Readme maybe should contain some more notes what to do for the functional testing (e.g. enable the vault kv store). @gitirabassi has done this nicely for this PR, but maybe we should do this reworks in a separate PR and maybe also decide with that one, if the dependency for vault while unit testing should be kept. |
@ldue I completely agree on the lack of docs for functional tests. If you're willing to create an issue with any notes on what specifically was hard to find I'd be happy to work on it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks a lot!
Ideally I’d want @ajvb to give it a look as well before merging. I’d also really appreciate the notes on what kind of tests and docs you find lacking! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ldue why do you use URI string for single key configuration in .sops.yaml?
I think it would be more clear and definite to use separate parameters in sops.yml, just like these you offer in key_groups.hc_vault
.
However, single-string URI is still very convenient for command line options like --add-hc-vault
.
Also I would suggest rename hc-vault
to vault-transit
, because it is common name for this key management service type.
Overall, great job! I was really looking forward for this feature.
config/config.go
Outdated
@@ -110,6 +118,7 @@ type creationRule struct { | |||
PGP string | |||
GCPKMS string `yaml:"gcp_kms"` | |||
AzureKeyVault string `yaml:"azure_keyvault"` | |||
Vault string `yaml:"hc_vault_uris"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this way we can use both methods
Vault string `yaml:"hc_vault_uris"` | |
VaultUri string `yaml:"hc_vault_uris"` | |
Vault []vaultKey `yaml:"hc_vault"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned elsewhere, I think we should keep the URI, but actually, please include Hashicorp and Transit in the name somehow. HcVaultTransit
, for example. I'm open to alternatives, but let's keep it consistent everywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've adapted you suggestions thanks! I also changed the plural hc_vault_uris
to singular hc_vault_uri
I kind of disagree here, I think consistency is best and this is pretty similar to what we do for AWS: we take an ARN. We do the same for GCP, and probably Azure (but I haven't checked). The URI is a "standard" way to refer to things in Vault, no?
I completely agree with this. Probably even Thanks for giving this a look too @mmorev! |
ARN is much more definite because it uses colons as field separator, so if any required field is missing or incorrect, we can easily find out, which exactly. Even we can safely skip unnecessary field. So I had suggested to implement both methods - URI and separate fields. Also @ldue please rename backend_path to secret_path or something else in code and parameters, because backend in Vault terms is actually the storage for all configured vault secrets,.
|
d2b9309
to
201f661
Compare
Thanks for your great feedback! Sorry it took me so long to get back to it. @autrilla i also aggree with @mmorev it makes sense to implement both ways, uri based and "object" based config. I do not see to much disadvantage. @mmorev I renamed I think the |
It is in no way different than an ARN. It's a URI, but not any URI. It must match a very specific format. Just like an ARN. The issue with reverse proxies is irrelevant here. The URI is just a way to specify the resource. It does not imply we're going to make HTTP requests to that URI directly. In fact, we're parsing it and passing it off to the Vault library. An argument against this that I would accept is that this "URI" is not really an exclusive identifier Vault uses for the resource. It's just the way to access it through the HTTP API, but there might be other ways to access it in the future. So maybe it does make sense to take explicitly structured data instead of this URI.
This is absolutely what I do not want. I do not want two ways of doing the same thing. It makes the code more complicated and a pain to maintain. I don't care super strongly about what is done regarding URI vs more structured data in the config file, but let's do only one thing. The added value is tiny and the maintenance cost adds up very quickly.
I think it's the right thing to do regardless of what we've done in the past. Clearly we've made some mistakes with naming. AWS KMS being named just "kms" is probably the biggest one. |
I think in that case URI would be more consistent to the other providers.
I get that, I do not have any experience with maintaining code for that kind of config. So I'll remove the structured config and leave VaultURI in and then we can bring this to an end? 😄 |
@@ -501,6 +523,11 @@ func main() { | |||
Usage: "comma separated list of Azure Key Vault URLs", | |||
EnvVar: "SOPS_AZURE_KEYVAULT_URLS", | |||
}, | |||
cli.StringFlag{ | |||
Name: "hc-vault--transit", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name: "hc-vault--transit", | |
Name: "hc-vault-transit", |
Sounds good to me! |
@autrilla IMO what really makes code more complicated and harder to read/maintain is a function with two unobvious regular expressions which is needed to parse an URI in unobvious way and then, anyway, store result as three different values in sops metadata. Anyway, it's just a suggestion, you are maintainer, you are decision maker. |
We wouldn't store the three values in SOPS metadata, we'd store just the URI. Like I said, I'd be open to storing only the three values and not dealing with URIs at all. What I don't want is both things. Asking for three different values from the command line might be a bit annoying and clutter our flags, though. |
Oh, got it. @ldue What do you think about removing URI and regex parsing function and leaving just separate parameter set? |
@@ -961,12 +1012,21 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) { | |||
azkvKeys = append(azkvKeys, k) | |||
} | |||
} | |||
if c.String("hc-vault-transit") != "" { | |||
hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("vault")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("vault")) | |
hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("hc-vault-transit")) |
if c.String("pgp") != "" { | ||
for _, k := range pgp.MasterKeysFromFingerprintString(c.String("pgp")) { | ||
pgpKeys = append(pgpKeys, k) | ||
} | ||
} | ||
if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" { | ||
if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("vault") == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("vault") == "" { | |
if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" { |
Great work, thanks a lot! |
There's still some review comments that should be addressed, mainly only allowing one of specifying the Vault URI or specifying each value (hostname, key, etc) individually. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
per @autrilla
There's still some review comments that should be addressed, mainly only allowing one of specifying the Vault URI or specifying each value (hostname, key, etc) individually.
Yes, that is acceptable as long as you keep authorship of the original commits. I think this PR itself started that way as well... |
This can be closed now that #655 has been merged |
Required improvements for PR 507.