Add storage backend for configs based on OS provided secret store #3333
Conversation
cfergeau
left a comment
cfergeau
left a comment
There was a problem hiding this comment.
Adding a second implementation of the Config interface to handle secrets is an interesting approach! One thing to have in mind though is that this 'secret' keyring will not always be available, I don't have access to gnome-keyring when I ssh into a linux box (but maybe this is a matter of configuration?)
ahh, didn't know, i don't think i ever tried this, but always assumed the cli |
My observations are only based on the pull secret keyring code, it always outputs a warning on my test machine, I never checked if it can be fixed. |
anjannath
force-pushed
the
secret-config
branch
from
503d53e to
4fd24ec
Compare
seems like the issue is with dbus not being accessible/available, its failing in CI for ubuntu :( |
anjannath
force-pushed
the
secret-config
branch
3 times, most recently
from
0e54395 to
2a344cc
Compare
anjannath
force-pushed
the
secret-config
branch
from
2a344cc to
aaa691e
Compare
anjannath
changed the title
anjannath
changed the title
|
@cfergeau i've tried to add a check to see if the keyring is accessible at the beginning when the secret store is initialised and not error out and crash the whole thing when we try to access a secret config store that doesn't have access to the keychain, PTALA :) |
anjannath
force-pushed
the
secret-config
branch
from
9d54985 to
aaa691e
Compare
anjannath
force-pushed
the
secret-config
branch
2 times, most recently
from
9ad38e9 to
dc7c612
Compare
anjannath
added
the
status/peer review required
anjannath
force-pushed
the
secret-config
branch
from
441436b to
931e286
Compare
cfergeau
left a comment
cfergeau
left a comment
There was a problem hiding this comment.
I need to take a closer look at Add a Secret type to register secret settings, but overall this looks nice!
anjannath
force-pushed
the
secret-config
branch
from
931e286 to
486ed03
Compare
this implements the RawStorage interface by using the OS provided keyring/secret store as the persistent store of config settings currently config settings are peristed to disk by writing to a JSON file in ~/.crc/crc.json this becomes an issue if we want to have a config setting that stores a password or anyother secret as we dont want it to get written to disk unencrypted creating an instance of Config with SecretStore as the storage the the settings/secrets are written to the OS keyring instead
extends the crc Config struct to also contain an instance of Secret storage same as the Viper storage, which will store secret configs this doesn't add a way to register secret config yet so the secret store is not being used and only added to the struct and config.New method is modified to take a second RawStorage which meant updating the tests and other places where config.New was called
anjannath
force-pushed
the
secret-config
branch
3 times, most recently
from
e6db0e7 to
52bbb0b
Compare
pkg/crc/config/config.go
Outdated
|
|
||
| if err := c.storage.Unset(key); err != nil { | ||
| return "", err | ||
| switch setting.defaultValue.(type) { |
There was a problem hiding this comment.
Maybe use setting.isSecret here too?
this adds a Secret type which is just a string but can be used to register a setting as a Secret setting, by using this type for the default empty value of the config this adds a new private field 'isSecret' to 'Setting' struct which is used by AddSetting to mark a Setting as secret based on this field it is decided which storage is used to persist or fetch the config setting
this adds a bool field 'IsSecret' to SettingValue struct we'll use this field to filter out secret config values in the o/p of 'crc config view' command
this new flag is added to control the revealing of secrets for the 'crc config view' command, by default the flag is set to false and keeps the secrets, secret. this is only added to the 'view' sub command as for 'get' and 'set' commands users have to also mention the config name and are aware that they are working with a secret config for 'view' to reveal the secrets we'll need to pass '--show-secrets' flag, 'crc config view --show-secrets'
we don't expose these configs in the tray UI the only consumer of the http api
anjannath
force-pushed
the
secret-config
branch
from
52bbb0b to
c64123d
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cfergeau The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
3 participants
Fixes #3312