Implement secret sub-variables #282
Conversation
uberspot
requested review from
uberspot,
adrianchifor and
ramaro
and removed request for
uberspot and
adrianchifor
I think yes, we need to make sure that's covered as well otherwise it will fail silently when deployed instead of during compiling and will make debugging more painful for users.
👍 Makes sense as an approach. |
kapitan/refs/secrets/gpg.py
Outdated
| def _decrypt(self, data): | ||
| """decrypt data""" | ||
| dec = gpg_obj().decrypt(data, **GPG_KWARGS) | ||
| dec = self.decrypt_with_cache(data) |
There was a problem hiding this comment.
Maybe it's better to do the caching in the place that calls _decrypt already?
There was a problem hiding this comment.
You’re right. I was afraid caching takes place per instance method but it does so as a class. Will correct this
@yoshi-1224 how is this going to work? We can't decrypt on compile - I'm not sure implementing this will be possible. |
|
What about storing the structure of the subvars in the secret itself(like we store the encoding)? Just the keys of the yaml, decrypted names same as they would be in individual files. You could store that as a base64'ed json. It is a bit divergent again from the simpler secret concept we had but it's an alternative if decrypting during compile proves too challenging. |
|
@yoshi-1224 @uberspot I'm not totally sure this should be implemented for each ref type. Ideally this should be abstracted away from gpg/akms/gkms and offered as a given feature, regardless of the type. It doesn't make sense to me for each of these to have to implement it again and again. How about exploring your ideas instead in the |
I don't know if it will be necessary to add extra complexity for this feature. I like to think that subvars are simply a reveal filter feature for yaml files encrypted into secrets. The workflow to "validate" these on compile would have to be by passing the |
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the ℹ️ Googlers: Go here for more info. |
|
@ramaro @uberspot
Thanks for pointing this out. I believe this is a much better idea. I just implemented it in the most recent commit (sorry the rebasing really messed things up. Regarding the validation, it necessitates decryption which may not be desirable. Also, as @ramaro pointed out, reveal will automatically fail if the sub-variables do not exist so I agree it is not strictly necessary to validate. |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
yoshi-1224
force-pushed
the
secret_subvars
branch
2 times, most recently
from
6dc96db
to
e5a0359
Compare
yoshi-1224
force-pushed
the
secret_subvars
branch
from
e5a0359
to
72904fe
Compare
|
@yoshi-1224 I think this is good to go! Let's just add the comment in subvar.yml and we can merge. |
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the ℹ️ Googlers: Go here for more info. |
|
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) ℹ️ Googlers: Go here for more info. |
|
Merged, nice work! :) I'll do a small rc release to keep this as a tested feature |
Fixes issue #131
This PR is just for the feedback on the implementation. No tests are added yet either (temporarily commented out the assertion for compile hash equivalence).
Proposed Changes
?{<ref_type>:<file_path>@<yaml_path>}(only implemented for gpg Ref so far).kapitan secrets --write ...where the secret file is a yaml file.Implementation idea
yaml_pathattribute to Ref (sub-class) instances. Use this to check if the secret is a sub-variable, and if so, after decryption in reveal function, index into the yaml_path and return the valuelru_cache. But it is inefficient because the parameter is the data itself, rather than ref file path. We should ideally use ref file path as the parameter since it is a just short string.kapitan compileis the hash of the entire file content. e.g. if we have?{gpg:file1@var1}and?{gpg:file1@var2}then the hash for the two secrets are identical. This should be secure still based on collision resistance.kapitan compile, it doesn't check if the sub-vars are actually present in the encrypted yaml file. Should we implement this as well?