Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/new secret backend vault transit #826

Merged
merged 52 commits into from
Apr 12, 2022
Merged

Feature/new secret backend vault transit #826

merged 52 commits into from
Apr 12, 2022

Conversation

Moep90
Copy link
Contributor

@Moep90 Moep90 commented Mar 1, 2022

Proposed Changes

  • add vaulttransit as new secret engine
  • add tests to vaulttransit secret engine for encryption, decryption
  • add documentation for the new secret engine
  • this will allow to use the Hashicorp Vaults Secret Engine called Transit
    • usage is similar to GKMS but with vault
    • you can encrypt, decrypt secrets
    • you can use different policies like engineers can encrypt secrets but not decrypt them
    • a key rotation using the same key is allowed and would reencrypt the secrets
    • changing the key will reencrypt the secrets using the kapitan reencrypt way

danny.heinrich and others added 20 commits February 13, 2022 19:58
Initial add vaulttransit
9c9c0b5
fixed secrets reference
5e1b725
enc, dec, key rotate and rekeying
7f26423
@Moep90
Merge pull request #1 from xqp/feature/add_vault_transit_pr
55a14a8 
Feature/add vault transit pr
use black to format files
ae112b6
Merge branch 'Moep90:master' into feature/add_vault_transit_pr
75c2303
adding initial docs to vaulttransit
1a8c18e
randomize localhost port for tests
c9a2301
only randomize local port
47261c3
linter issue
4aa3c39
applied pre-commit reformatting
f861101
updated vaulttransit documentation
dd451b0
added further details on how to apply testing
15ae084
add test for key update
25ea59e
linter
8550db6
@Moep90
Merge pull request #3 from xqp/feature/add_vault_transit_pr
7075797 
format the python code
adding initial docs to vaulttransit
b52dadf
updated vaulttransit documentation
6bebd5d
added further details on how to apply testing
db3a4d3
Merge branch 'feature/new_secret_backend_vault_transit' of https://gi…
8696224 
…thub.com/Moep90/kapitan into feature/new_secret_backend_vault_transit
@Moep90 Moep90 marked this pull request as ready for review March 1, 2022 06:52
@Moep90 Moep90 mentioned this pull request Mar 7, 2022
Closed
@Moep90
Copy link
Contributor Author

Moep90 commented Mar 9, 2022

tests seams to be fixed with #828

danny.heinrich and others added 24 commits March 18, 2022 06:53
fixed linter findings
b244bc4
fixed typos
9a9364c
fixed vaulttransit tests
bbc4ffa
added ca-certs due https verify issues
0cb5ab5
use black to format files
bc4240f
randomize localhost port for tests
e92a230
only randomize local port
a767549
linter issue
05c73fa
add test for key update
ae1945f
linter
add6457
adding initial docs to vaulttransit
1b1eacb
updated vaulttransit documentation
9f29be9
added further details on how to apply testing
6a09922
fix typo on mount
8020c9d
fix issue when calling ||randomstr|base64
89fa40c
added logging message base64 encoding
89c5bf0
fixed wrong type from base64 to vaulttransit
f593a28
@lion24
kapitan: fix python tests. (#828)
c83e319 
This change needs to be merged first: kapicorp/reclass#7

* On the latest version, to render helm template it now uses the helm
  cli directly. However it seems using helm 3.8.0 (the latest stable),
  the default behavior if to release name is specify is to populate with
  the string "release-name", not "RELEASE-NAME" hence all lowercase.
  There's a simple way to reproduce:
  ```
  helm create test-chart
  helm template --include-crds --skip-tests
  ````
  And check how {{ .Release.Name }} gets populated when there's none
  specified.

Signed-off-by: Lionel H <me@nullbyte.be>
@simu
Accept content-type application/gzip when unpacking dependencies (#830
67f9931 
)

The content-type `application/gzip` has been introduced in [RFC 6713][1]
as an official type which was intendend to be used instead of various
custom content types, such as `application/x-gzip`.

It appears that adoption of `application/gzip` is not very high, so its
absence from the list of content types which Kapitan tries to unpack
hasn't caused issues yet.

However, we've now found a dependency (Cilium Enterprise Edition OLM
manifests) which is served with `content-type: application/gzip` which
results in the following log messages from Kapitan:

```
Dependency https://<REDACTED>/cilium-ee-1.10.4.tar.gz: fetching now
Dependency https://<REDACTED>/cilium-ee-1.10.4.tar.gz: successfully fetched
Dependency https://<REDACTED>/cilium-ee-1.10.4.tar.gz: Content-Type application/gzip is not supported for unpack. Ignoring save
```

This commit adds `application/gzip` as a supported content type for
`.tar.gz` archives in `unpack_downloaded_file()`.

[1]: https://datatracker.ietf.org/doc/html/rfc6713
fixed linter findings
69d6c72
fixed typos
9647559
fixed vaulttransit tests
f9f7bc6
added ca-certs due https verify issues
eb96914
Merge branch 'feature/new_secret_backend_vault_transit' of https://gi…
6d48078 
…thub.com/Moep90/kapitan into feature/new_secret_backend_vault_transit
@Moep90 Moep90 requested a review from ramaro March 18, 2022 07:58
@ramaro
Copy link
Member

ramaro commented Apr 12, 2022

This is good to go, thanks @Moep90 @xqp !

@ramaro ramaro merged commit 28916cf into kapicorp:master Apr 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uberspot uberspot Awaiting requested review from uberspot

@ademariag ademariag Awaiting requested review from ademariag

@ramaro ramaro Awaiting requested review from ramaro

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Moep90 @ramaro @lion24 @simu