Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simply and clarify the secret fetching process #33

Merged
merged 2 commits into from
Mar 19, 2020
Merged

Simply and clarify the secret fetching process #33

merged 2 commits into from
Mar 19, 2020

Conversation

broamski
Copy link
Collaborator

@broamski broamski commented Mar 10, 2020
edited
Loading

This PR simplifies the secret fetching process with the introduction of SecretDefinitions, which contain relevant data around fetching a specified set of secrets.

Externally, a Secret Definition is defined via: VAULT_SECRET_THING=my/vault/path/to/a/key either with a corresponding DAYTONA_SECRET_DESTINATION_THING=/path/to/output or a -secret-env argument. Please note that the suffix is no longer required to match the final key name in the vault path.

Before this change, note that the suffix THING in VAULT_SECRET_THING was required to match the key name of the vault path:

VAULT_SECRET_THING=my/vault/path/to/a/thing
DAYTONA_SECRET_DESTINATION_THING=/path/to/output

# the following would not work:
VAULT_SECRET_THINGY=my/vault/path/to/a/thing
DAYTONA_SECRET_DESTINATION_THINGY=/path/to/output

This PR introduces arbitrary suffix identifiers:

VAULT_SECRET_WHATUP=my/vault/path/to/a/thing/called/hello
DAYTONA_SECRET_DESTINATION_WHATUP=/path/to/output

Secret Definition Decoder Guide

  • VAULT_SECRET_: Singular Secret Storage Path Prefix
  • VAULT_SECRETS_: Plural Secret Storage Path Prefix
  • DAYTONA_SECRET_DESTINATION_: Secret Destination Prefix
  • secretID-SUFFIX: The unique secret identifier that can be used to tie a Secret Storage Path Prefix to a corresponding destination prefix

Singular Secrets

  • Singular Secret Declaration: VAULT_SECRET_<secretID-SUFFIX>=<SECRET-APEX>
  • Singular Secret Destination: DAYTONA_SECRET_DESTINATION_<secretID-SUFFIX>=<FILE-PATH>

This PR also now enables support for using Plural Secret Storage Path Prefixes VAULT_SECRETS_<secretID-SUFFIX> with Secret Destination Prefixes DAYTONA_SECRET_DESTINATION_, which intended to deprecate the -secret-path command line flag.

Thank you @robison for authoring the additional tests.

@robison robison mentioned this pull request Mar 10, 2020
Closed
@broamski broamski requested a review from robison March 10, 2020 22:53
@broamski
Simply the secret fetching process with the introduction of
15c8e0f 
SecretDefinitions, which contain relevant data around fetching a
specified set of secrets.

Added more tests to support functionality and improve coverage
@broamski broamski added this to the 1.1.1 milestone Mar 10, 2020
This was linked to issues Mar 10, 2020
Crashes when reading secrets in directory when there are not secrets at a lower level #3
Closed
Bug: Doesn't read secrets when SECRET_ENV_ suffix does not match the last part of the secret path #29
Closed
@broamski broamski marked this pull request as ready for review March 10, 2020 23:23
@broamski
Copy link
Collaborator Author

@robison I updated the README to reflect these changes.

@broamski broamski merged commit fb997cf into master Mar 19, 2020
unixist
unixist reviewed Mar 19, 2020
View reviewed changes
pkg/secrets/secrets.go

// SecretFetcher inspects the environment for variables that
// define secret definitions. The variables are used to guide
// the SecretFetcher in acquring and outputting the specified secrets
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo

pkg/secrets/secrets.go
parallelReader.AsyncRequestKeyPath(secretPath)
secretResult := parallelReader.ReadSecretResult()
def := &SecretDefinition{
envkey: envKey,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: keep compound word vars camel case? envKey

pkg/secrets/secrets.go
continue
}

// look for a corresponding secretDestinationPrefix key.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're going to say that case doesn't matter, I suggest making it not matter at all within the string. For example, this code currently only equates "SUFFIX" and "suffix".

If the case differs in a substring, e.g. "SUFFIX" and "SUFfix", this code wont match. I personally prefer vars to be truly case sensitive. But as it is, it's neither truly case sensitive nor insensitive.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like lines changed since my comment. I'll let you figure it out and whether you want to change it :)

unixist
unixist reviewed Mar 19, 2020
View reviewed changes
README.md

---

**Plurar Secrets**
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

l

@broamski broamski modified the milestones: 1.1.1, 1.1.0 Mar 25, 2020
@broamski broamski deleted the 1.1.1 branch March 25, 2020 21:37
@broamski broamski mentioned this pull request Oct 22, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@unixist unixist unixist left review comments

@robison robison robison approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
1.1.0
3 participants
@broamski @unixist @robison