Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret Store #210

Merged
merged 1 commit into from Jan 20, 2023
Merged

Secret Store #210

merged 1 commit into from Jan 20, 2023

Conversation

joeshaw
Copy link
Member

@joeshaw joeshaw commented Dec 1, 2022
edited

This introduces types and hostcalls for the Secret Store, and implements
them in Viceroy, along with configuration to instantiate them.

In Compute@Edge, a Secret Store is an encrypted, read-only key-value
store for sensitive data. In Viceroy, however, it is a simple
unencrypted in-memory map defined in the fastly.toml file in a
manner similar to Object Stores.

At a high level, a Wasm application using the APIs would:

  1. Open a secret store by name
  2. Get a secret from the store by name
  3. Decrypt the secret by calling its plaintext method.

In Viceroy, Secret Stores are configured in the same way Object Stores
are:

[local_server]
  [local_server.secret_store]
    store_one = [{key = "first", data = "This is some secret data"}, {key = "second", path = "/path/to/secret.json"}]

    [[local_server.secret_store.store_two]]
      key = "first"
      data = "This is also some secret data"

    [[local_server.secret_store.store_two]]
      key = "second"
      path = "/path/to/other/secret.json"

@joeshaw joeshaw requested a review from cratelyn December 1, 2022 16:54
@joeshaw joeshaw mentioned this pull request Dec 1, 2022
Merged
awilliams-fastly added a commit to fastly/cli that referenced this pull request Dec 5, 2022
@awilliams-fastly
Add support for TOML secret_store section
42f328d 
Viceroy is being updated with support for a new `local_server.secret_store` configuration section.
This change adds support for this new section in the manifest.

Viceroy change:
fastly/Viceroy#210

Related change:
#717
awilliams-fastly added a commit to fastly/cli that referenced this pull request Dec 5, 2022
@awilliams-fastly
Add support for TOML secret_store section
419a843 
Viceroy is being updated with a new `local_server.secret_store` configuration section. Viceroy change:
fastly/Viceroy#210

This change adds support for the new Secret Store configuration section.

Related change:
#717
@awilliams-fastly awilliams-fastly mentioned this pull request Dec 5, 2022
Merged
awilliams-fastly added a commit to fastly/cli that referenced this pull request Dec 6, 2022
@awilliams-fastly
Add support for TOML secret_store section (#726)
be77d21 
Viceroy is being updated with a new `local_server.secret_store` configuration section. Viceroy change:
fastly/Viceroy#210

This change adds support for the new Secret Store configuration section.

Related change:
#717
@mgattozzi
Copy link
Contributor

Hey @joeshaw I took a look and this is amazingly well done. I do see it's trying to merge it into the acf/finish-streaming-bodies branch right now so we should probably hold off until that's merged and then set this PR to merge into main instead after that's in, otherwise I think these changes have solid comprehensive test coverage and they're passing so I think we should be okay.

@joeshaw
Copy link
Member Author

joeshaw commented Dec 8, 2022

@mgattozzi Sounds good! Yeah, I wasn't planning this land this until the other branch has landed. Once that branch is landed, this PR should automatically re-target main.

@awilliams-fastly
Copy link
Contributor

Adding a reminder for us to update https://developer.fastly.com/reference/compute/fastly-toml/#local-server

Base automatically changed from acf/finish-streaming-bodies to main January 18, 2023 22:42
@joeshaw
Copy link
Member Author

joeshaw commented Jan 18, 2023

@mgattozzi With #203 having been merged and the 0.9.1 Rust SDK having been tagged, this should be ready to merge.

@joeshaw
define and implement Secret Store ABI
b85d3d8 
This introduces types and hostcalls for the Secret Store, and implements
them in Viceroy, along with configuration to instantiate them.

In Compute@Edge, a Secret Store is an encrypted, read-only key-value
store for sensitive data.  In Viceroy, however, it is a simple
unencrypted in-memory map defined in the `fastly.toml` file in a
manner similar to Object Stores.

At a high level, a Wasm application using the APIs would:
1. Open a secret store by name
2. Get a secret from the store by name
3. Decrypt the secret by calling its `plaintext` method.

In Viceroy, Secret Stores are configured in the same way Object Stores
are:

```toml
[local_server]
  [local_server.secret_store]
    store_one = [{key = "first", data = "This is some secret data"}, {key = "second", path = "/path/to/secret.json"}]

    [[local_server.secret_store.store_two]]
      key = "first"
      data = "This is also some secret data"

    [[local_server.secret_store.store_two]]
      key = "second"
      path = "/path/to/other/secret.json"
```
@joeshaw
Copy link
Member Author

joeshaw commented Jan 19, 2023
edited

Rebased on main, which switched to Wasmtime 4.0.0 and required some tweaks (#217)

@mgattozzi mgattozzi self-requested a review January 20, 2023 15:53
mgattozzi
mgattozzi approved these changes Jan 20, 2023
View reviewed changes
Copy link
Contributor

@mgattozzi mgattozzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joeshaw thanks for rebasing things and getting it set to merge into main. I think this is ready to go!

@mgattozzi mgattozzi merged commit 05247c4 into main Jan 20, 2023
@mgattozzi mgattozzi deleted the joeshaw/secret-store branch January 20, 2023 16:00
@joeshaw joeshaw mentioned this pull request Jan 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgattozzi mgattozzi mgattozzi approved these changes

@cratelyn cratelyn Awaiting requested review from cratelyn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joeshaw @mgattozzi @awilliams-fastly