-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ku 510/vault kv/encryption at rest #342
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice port, thanks @addyess!
requirements.txt
Outdated
charm-lib-kubernetes-snaps @ git+https://github.com/charmed-kubernetes/charm-lib-kubernetes-snaps@main | ||
charm-lib-kubernetes-snaps @ git+https://github.com/charmed-kubernetes/charm-lib-kubernetes-snaps@KU-510/vault-kv/encryption-at-rest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DO no merge without this
charmed-kubernetes/charm-lib-kubernetes-snaps#16
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will also need this library backported
9386f4d
to
7806297
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is certainly a big one, but the vault-kv/locker functionality feels right given our want for enc-at-rest for k-c-p. nice job bringing this in.
* Vendor ops version of layer-vault-kv into the charm * Completed unit tests of vault-kv library * begin testing of vaultlocker layer replacement * Begin testing of reactive upgrade * Completed unit tests and docs to support vaultlocker encryption * Passing jenkins validation testing * woke ignore operator libs * Improve testing, improved security, validated upgrades * Address review comments * pin hvac requirements
* Vendor ops version of layer-vault-kv into the charm * Completed unit tests of vault-kv library * begin testing of vaultlocker layer replacement * Begin testing of reactive upgrade * Completed unit tests and docs to support vaultlocker encryption * Passing jenkins validation testing * woke ignore operator libs * Improve testing, improved security, validated upgrades * Address review comments * pin hvac requirements
Allows the control-plane charm to relate to vault over the vault-kv relation. This unlocks an encryption-at-rest using vault-kv to store the encryption key used to encrypt secrets in etcd
This PR creates two new libraries from existing charmhelpers/reactive based layers
There's also quite a bit of code lift from charmhelpers as well (see fstab.py)
Those libraries could VERY likely be externalized and pip imported -- but they're here in this draft PR in order to accelerate producing the feature.