Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing secret validation by supporting EC private keys. #4135

Merged
merged 3 commits into from Feb 23, 2022
Merged

Fixing secret validation by supporting EC private keys. #4135

merged 3 commits into from Feb 23, 2022

Conversation

alexgervais
Copy link
Contributor

Description

Fixing secret validation by supporting EC private keys and making the secret validation feature an opt-in via the FORCE_SECRET_VALIDATION environment variable.

This PR does NOT contain any changes to the Helm chart. I'm unsure at this point if we should surface the FORCE_SECRET_VALIDATION env var as a chart property.

Related Issues

#4134

Testing

Extended the current unit tests to use EC private keys.

Checklist

  • I made sure to update CHANGELOG.md.

    Remember, the CHANGELOG needs to mention:

    • Any new features
    • Any changes to our included version of Envoy
    • Any non-backward-compatible changes
    • Any deprecations

  • This is unlikely to impact how Ambassador performs at scale.

    Remember, things that might have an impact at scale include:

    • Any significant changes in memory use that might require adjusting the memory limits
    • Any significant changes in CPU use that might require adjusting the CPU limits
    • Anything that might change how many replicas users should use
    • Changes that impact data-plane latency/scalability

  • My change is adequately tested.

    Remember when considering testing:

    • Your change needs to be specifically covered by tests.
      • Tests need to cover all the states where your change is relevant: for example, if you add a behavior that can be enabled or disabled, you'll need tests that cover the enabled case and tests that cover the disabled case. It's not sufficient just to test with the behavior enabled.
    • You also need to make sure that the entire area being changed has adequate test coverage.
      • If existing tests don't actually cover the entire area being changed, add tests.
      • This applies even for aspects of the area that you're not changing – check the test coverage, and improve it if needed!
    • We should lean on the bulk of code being covered by unit tests, but...
    • ... an end-to-end test should cover the integration points

  • I updated DEVELOPING.md with any any special dev tricks I had to use to work on this code efficiently.

alex added 2 commits February 23, 2022 15:59
Fixing secret validation by supporting EC private keys
3f7e5db 
Signed-off-by: alex <alex@datawire.io>
Generated changelog
7e8882f 
Signed-off-by: alex <alex@datawire.io>
Renamed FORCE_SECRET_VALIDATION to AMBASSADOR_FORCE_SECRET_VALIDATION…
fb05c6a 
… and extended EC coverage with an invalid key

Signed-off-by: alex <alex@datawire.io>
kflynn
kflynn approved these changes Feb 23, 2022
View reviewed changes
Copy link
Member

@kflynn kflynn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hit it! I'll have some metrics ready to go shortly, but landing this first is fine by me.

@aidanhahn aidanhahn merged commit 0ab563d into release/v2.2 Feb 23, 2022
@aidanhahn aidanhahn deleted the alexgervais/dev/fix-secret-validation-4134 branch February 23, 2022 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kflynn kflynn kflynn approved these changes

@AliceProxy AliceProxy AliceProxy approved these changes

@aidanhahn aidanhahn aidanhahn approved these changes

@LukeShu LukeShu Awaiting requested review from LukeShu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@alexgervais @kflynn @AliceProxy @aidanhahn