Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AIAP: support non test GPG keys #654

Closed
jgu17 opened this issue Oct 13, 2021 · 5 comments
Closed

AIAP: support non test GPG keys #654

jgu17 opened this issue Oct 13, 2021 · 5 comments
Assignees
@sirajyasin
Labels
enhancement New feature or request priority/medium Default priority for items
Projects
Airship 2.0
Milestone
v2.2

Comments

@jgu17
Copy link
Contributor

jgu17 commented Oct 13, 2021

Problem description (if applicable)

AIAP can only deploy using the Mozilla SOPS gpg key for testing purpose.

Proposed change
Add support in AIAP to use a production gpg key for secret encryption and decryption.

Potential impacts
Potential security or performance related impacts.
@jgu17 jgu17 added enhancement New feature or request triage Needs evaluation by project members labels Oct 13, 2021
@jezogwza jezogwza added this to To do in Airship 2.0 via automation Oct 13, 2021
@jezogwza jezogwza added this to the v2.1 milestone Oct 13, 2021
@jezogwza jezogwza added priority/low Items that are considered non-critical for functionality, such as quality of life improvements priority/medium Default priority for items and removed triage Needs evaluation by project members priority/low Items that are considered non-critical for functionality, such as quality of life improvements labels Oct 13, 2021
@sirajyasin
Copy link
Contributor

I can work on this issue if no one has started yet. Can someone assign this issue to me ?

@sreejithpunnapuzha
Copy link
Member

All yours @sirajyasin

@mattmceuen
Copy link
Contributor

Thanks @sirajyasin ! A couple thoughts on how to approach it:

  1. make this line conditional, based on an input/override to AIAP: https://github.com/airshipit/airshipctl/blob/master/tools/airship-in-a-pod/runner/assets/entrypoint.sh#L77
    This^ is because we still want to regenerate/show secrets in our gates, but when we're testing an integration that uses real-life credentials in the manifests, we want to neither regenerate nor show!

  2. provide the decryption key to AIAP via a kind: Secret. The base kustomization could define the contents of this to include the mozilla key, and there could be a placeholder and/or documentation on how to kustomize a real key on top of it

  3. add documentation on how to use a custom key to the AIAP README

  4. (probably outside the scope of this issue, & should be a follow-on) it would be great to leverage airshipctl document validate #2 to mount in azure key vault-hosted keys, perhaps using this feature: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver

@lb4368 lb4368 modified the milestones: v2.1, v2.2 Oct 27, 2021
airshipbot pushed a commit that referenced this issue Oct 28, 2021
@sirajyasin
[AIAP] - Use SOPS_IMPORT_PGP for user specific key
afe5640 
* Enable user to set SOPS_IMPORT_PGP in env and consume that.

Relates-To: #654
Change-Id: Idb610980e11d228a48db8e412b0436556ac00ca5
airshipbot pushed a commit that referenced this issue Dec 2, 2021
@sirajyasin
Skip secret generation for production env
4ed3a80 
Retales-To: #654
Change-Id: I984cfbc0e67ec32ae70ae3646bd59f5911494afb
@sirajyasin
Copy link
Contributor

This Issue can be marked completed/Closed. Both the related PSs are merged now.

@eak13
Copy link

eak13 commented Dec 3, 2021

closing per merge

@eak13 eak13 closed this as completed Dec 3, 2021
Airship 2.0 automation moved this from To do to Done Dec 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sirajyasin sirajyasin

Labels
enhancement New feature or request priority/medium Default priority for items
Projects
Airship 2.0
  
Done
Milestone
v2.2
Development

No branches or pull requests
7 participants
@lb4368 @eak13 @mattmceuen @jezogwza @jgu17 @sirajyasin @sreejithpunnapuzha