Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kubectl-passman @ 0.0.1 to krew index #267

Merged
merged 3 commits into from Oct 7, 2019

Conversation

@chrisns
Copy link
Contributor

commented Oct 7, 2019

No description provided.

@k8s-ci-robot

This comment has been minimized.

Copy link

commented Oct 7, 2019

Welcome @chrisns!

It looks like this is your first PR to kubernetes-sigs/krew-index 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/krew-index has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

…idates manifest to
@k8s-ci-robot k8s-ci-robot added size/M and removed size/L labels Oct 7, 2019
@chrisns chrisns referenced this pull request Oct 7, 2019
plugins/passman.yaml Outdated Show resolved Hide resolved
plugins/passman.yaml Outdated Show resolved Hide resolved
plugins/passman.yaml Outdated Show resolved Hide resolved
@chrisns

This comment has been minimized.

Copy link
Contributor Author

commented Oct 7, 2019

oh wow, sorry didn't realise the spammy repercussions of me trying to add more metadata in commit message

@ahmetb

This comment has been minimized.

Copy link
Member

commented Oct 7, 2019

Thanks for your contribution.
I see you invested in release procedure with krew a bit. There's an automated Krew release action for github at https://github.com/rajatjindal/krew-plugin-release if that is interesting to you (it's very recently developed by a third party).

/lgtm
/assign @corneliusweig
for a second look.

@chrisns

This comment has been minimized.

Copy link
Contributor Author

commented Oct 7, 2019

thanks @ahmetb for sighting that. my google foo needs some work!
Had looked around but didn't see that, will look to move to that or similar, my supply chain spider sense does get a little (a lot) paranoid about generating tokens and providing them to 3rd party tools though :)
Hopefully github acitons will at somepoint allow hashing the full package of remote actions ¯_(ツ)_/¯

@corneliusweig

This comment has been minimized.

Copy link
Contributor

commented Oct 7, 2019

@chrisns I can understand your reservations about the token. I think the recommended approach is to have a dedicated GitHub account which has the necessary permissions for just this one repo.

Copy link
Contributor

left a comment

Thanks for contributing this!
/lgtm

See usage docs https://github.com/chrisns/kubectl-passman
description: |
An easy way to store your kubernetes credentials in 1password or Mac OS Keychain
(more password managers coming soon)

This comment has been minimized.

Copy link
@corneliusweig

corneliusweig Oct 7, 2019

Contributor

Can you integrate https://github.com/gopasspw/gopass soon 😉 👀

This comment has been minimized.

Copy link
@chrisns

chrisns Oct 7, 2019

Author Contributor

👍 added chrisns/kubectl-passman#25 PRs welcome if you get to it before I do 😄

@@ -42,6 +42,7 @@ Name | Description | Stars
[oidc-login](https://github.com/int128/kubelogin) | Log in to the OpenID Connect provider | ![GitHub stars](https://img.shields.io/github/stars/int128/kubelogin.svg?label=stars&logo=github)
[open-svc](https://github.com/superbrothers/kubectl-open-svc-plugin) | Open the Kubernetes URL(s) for the specified service in your browser. | ![GitHub stars](https://img.shields.io/github/stars/superbrothers/kubectl-open-svc-plugin.svg?label=stars&logo=github)
[outdated](https://github.com/replicatedhq/outdated) | Finds outdated container images running in a cluster | ![GitHub stars](https://img.shields.io/github/stars/replicatedhq/outdated.svg?label=stars&logo=github)
[passman](https://github.com/chrisns/kubectl-passman) | Provides glue between common password managers and kubectl for user credentials | ![GitHub stars](https://img.shields.io/github/stars/chrisns/kubectl-passman.svg?label=stars&logo=github)

This comment has been minimized.

Copy link
@corneliusweig

corneliusweig Oct 7, 2019

Contributor

The description here is different from your manifest shortDescription. Although this is not a problem, you should know that this page is auto-generated and uses the shortDescription for the second column. So this variant is only temporary. (And your short description is good, because it gets truncated at ~50 characters)

This comment has been minimized.

Copy link
@chrisns

chrisns Oct 7, 2019

Author Contributor

This is going to be in active development for a bit, wanted it on krew to get some exposure and feedback. will fix the table on my next PR, thanks!

@corneliusweig

This comment has been minimized.

Copy link
Contributor

commented Oct 7, 2019

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link

commented Oct 7, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrisns, corneliusweig

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 16a4a08 into kubernetes-sigs:master Oct 7, 2019
2 of 3 checks passed
2 of 3 checks passed
tide Not mergeable.
Details
cla/linuxfoundation chrisns authorized
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@chrisns

This comment has been minimized.

Copy link
Contributor Author

commented Oct 7, 2019

@corneliusweig yeah, I guess I'd need to refresh myself on github's auth scopes, and what the consequential blast radius would be of the permissions required. e.g. could the creds be used to PR other repos, for spam or malware.

Seperate accounts is a weird smell, even if I might then be able to claim an extra hacktoberfest t-shirt 😜

For this particular plugin I'm tending to be especially nervous/respectful since people end up trusting it with access to their password managers, which in turn have frustratingly big scopes (e.g. from best I can tell 1password cli gives you a session token and anything with that can retrieve anything without alert/warning/prompt/logs 😱 )

@chrisns chrisns deleted the chrisns:kubectl-passman-0.0.1 branch Oct 7, 2019
@rajatjindal

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

Hi Chris/Ahmet/Cornelius

thanks for considering/suggesting the krew-plugin-release for this.

I understand the reservation about providing token to be able to submit PR on any repo.

can you think of a way that will help people have trust on this plugin?

e.g. I had setup automated docker builds to avoid manual push, code is open source.

I will be more than willing to make changes if there is anything that will make this better in terms of security/UX.

Thanks
Rajat Jindal

@rajatjindal

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

how about, instead of asking each user to provide access to token, I can have a krew-plugin-release-bot account, that can open PR from its own repo instead of forking in your user's scope?

I think that should mitigate the concern?

@chrisns

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2019

hi @rajatjindal
Not really any 'good' ideas, it's a universal supply chain problem especially with github actions that'll hopefully be addressed.

I guess if it became owned by the krew team that would provide some legitimacy; I'd personally still be nervous.
I've not tried it, but if the uses could refer to a SHAs then at least I'd know it is as good as any due diligence I did at the time I installed it, however my ability to know about updates inc security ones would be lost unless the plugin 'phoned home' to check.

Your idea of PR'ing from an account you provide sounds like a good one, you'd need to invent some way to avoid clashing though. e.g. someone else intentionally or even accidently clashing on name and you publishing over my plugin name.

The alternative could be revisiting how krew manages its package registry, whereby instead of providing a manifest, I provide a link to where a manifest can be retrieved, and krew poll it every n minutes to then provide a (validated) static cache to the cli to query.

@chrisns

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2019

if you did use your own token, you'd need to somehow do it in such a way that it couldn't be extracted, which is already sounding complex and gnarly

@chrisns

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2019

e.g. I had setup automated docker builds to avoid manual push, code is open source.

yes, though the registry that it pulls from doesn't distinguish if it was a manually created and pushed with potentially anything hidden in there, or automatically which would be harder to poison caches to achieve the same thing.
It'd be nice if the auto builder signed the image, though sadly I've not yet seen any (free) ones do that.

@rajatjindal

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

I was thinking more like the github action pushes an event to a downstream service (using GITHUB_TOKEN which is provided by default to all the actions), and then that downstream service actually validates GITHUB_TOKEN and then opens PR using its own token.

I need to think more, but I totally understand your concern, and appreciate the discussion. I will try to find sometime this weekend to do a POC around this.

@corneliusweig

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

@rajatjindal @chrisns In general the bot like the one written by @rajatjindal is a great idea. Maintaining that in krew could be an option but we need to think this through.

Let's move this discussion to a krew issue instead of this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.