-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flyctl commands for managing secrets that are kms keys #3901
Conversation
TODO: This needs go.mod changes for new fly-go/flaps version once that lands. |
manually tested listing, setting, and deleting kms secrets (with pr flaps client, and flaps server on dev gw), and verified that keys are visible in machine's kmsfs (with flyd pr that allows qmx machines to start kmsfs). |
TODO: I should probably hide this command until we're ready to announce it. I think we'll want to iterate on a few of the rough edges in kmsfs/petsem/flaps/flyctl before we freshproduce this. |
- separate out generate from set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I gave this a closer read through now that we've sorted out the philosophical questions. This is looking good to me!
Key deletion will iterate all existing keys, and delete any keys that match the command line label. If the command line label is unversioned, it will match all key versions. It will prompt before each deletion and print out a message after each deletion. The force flag suppresses prompting. Note: this means if there are no matching keys, no delete is attempted, and no message is printed, and no error is returned.
I updated key deletion to include some versioning smarts, prompting (suppressable with force flag) and output indicating which keys were deleted:
|
flyctl secrets keys now operates on semantic key types, not concrete key types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Change Summary
What and Why: Adds
flyctl secrets keys
commands for adding, removing, and listing KMS keys. This will allow users to manage secrets that they can use with the kmsfs via/.fly/kms
in their machine.How: Makes calls via the flaps client to new endpoints.
Related to: nomad-firecracker PR #2599 which adds flaps endpoints for managing KMS secrets.
Documentation