-
-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds feature to fetch release values and secret values from remote #47
Adds feature to fetch release values and secret values from remote #47
Conversation
@@ -186,7 +187,11 @@ func (r *Remote) Fetch(goGetterSrc string, cacheDirOpt ...string) (string, error | |||
replacer := strings.NewReplacer(":", "", "//", "_", "/", "_", ".", "_") | |||
dirKey := replacer.Replace(srcDir) | |||
if len(query) > 0 { | |||
paramsKey := strings.Replace(query, "&", "_", -1) | |||
q, _ := neturl.ParseQuery(query) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://github.com/hashicorp/go-getter/blob/4553965d9c4a8d99bd0d381c1180c08e07eff5fd/README.md#protocol-specific-options-1 there are multiple supported protocols like git
, http
, s3
and gcs
. All this protocols can include some sensitive information in any URL part.
Instead of redacting ever possible query parameter the whole URL could be hashed with sha256
. This will fix the two problems mentioned in this pull request.
- Don't leak sensitive information
- Avoid hitting the max length of a folder name
@@ -30,7 +31,17 @@ func NewStorage(forFile string, logger *zap.SugaredLogger, glob func(string) ([] | |||
func (st *Storage) resolveFile(missingFileHandler *string, tpe, path string) ([]string, bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This enhancement allows for referencing remote (go-getter) files to be
fetched, cached and referenced.
Loading env values from remote already supported, link. Here is a code that is responsible for that.
Does it mean that you propose to trait any file link as a potentially remote file? In that I think LoadEnvironmentValues
function should be adjusted as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for pointing out. The PR solves the same issues ( roboll/helmfile#1838 / roboll/helmfile#1499 ) as your RP #42. The title of the PR was misleading and I changed it from environment to release. I also added a basic example to illustrate the enhancement.
The difference of the two implementations is, that this PR also fetches secret values files. Since your PR only patches generateVanillaValuesFiles
.
Maybe we find a middle ground and we can combine the two options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, thanks for the additional input!
Yeah, what I'm pointing is that in your case resolving happens twice. Maybe it is better to patch vanilla values and secrets fletcher separately. Not the base function.
Or, as a common solution better than repeating solution 3 times it makes sense to remove env vars loader and just use your patch everywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in your case resolving happens twice
If we're going to support this remote file loading universally within helmlfile, it might make sense to patch resolveFile this way. Let's merge this and see how it goes.
I'm unsure if I'm aware of all the consequences of doing it though. I'd appreciate it if you could submit follow-up PRs to de-duplicate the remote file fetching steps if that makes sense 🙇
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
The releases and environment section allow for values files on the local disk. This enhancement allows for referencing remote (go-getter) files to be fetched, cached and referenced. In addition when fetching a remote git source with a ssh key the ssh key will not be part of the caching folder name. This avoids two problems: 1. Don't leak sensitive information in the name of the caching folder 2. Base64 encoded SSH keys are very long. On some file systems the max lenght of the directory name is hit when using the full base64 information in the path name. The sshkey informations are reducted. Because of this fixed string there is a change of colloding cache names. The likelihood of this collision is very low. The git repo and git reference need to be the same, but the sshkey can change. This will result in the same source to be checkout out and referenced. Signed-off-by: Lüchinger Dominic <dev@snowgarden.ch>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for your contribution @dol
The releases and environment section allow for values files on the local
disk.
This enhancement allows for referencing remote (go-getter) files to be
fetched, cached and referenced.
Example:
In addition when fetching a remote git source with a ssh key the ssh key
will not be part of the caching folder name. This avoids two problems:
lenght of the directory name is hit when using the full base64
information in the path name.
The sshkey informations are reducted. Because of this fixed string
there is a change of colloding cache names. The likelihood of this
collision is very low. The git repo and git reference need to be the
same, but the sshkey can change. This will result in the same source to
be checkout out and referenced.