Adding Hashicorp Vault KMS #507
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #507 +/- ##
==========================================
- Coverage 35.84% 35.1% -0.74%
==========================================
Files 20 21 +1
Lines 2832 3111 +279
==========================================
+ Hits 1015 1092 +77
- Misses 1722 1901 +179
- Partials 95 118 +23
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
I was about to send my own pull request to add this feature, and realized that you were faster than me!
And yours looks MUCH better than mine, in terms of flexibility - more configuration options like backend path.
Only thing I'd comment is to add some usage on this feature around L90 in main.go, like mumoshu@8f858c2#diff-c1be616053300bd7c4176b526f9ad9c1R90 and mumoshu@8f858c2#diff-c1be616053300bd7c4176b526f9ad9c1R102.
Other than that, this LGTM! Really looking forward to see this gets merged 🎉
|
Manually verified that this works 🎉 FWIW, this is the steps I've used for testing:
|
|
Thanks @mumoshu. |
|
I know the devops community currently associates the word (I made that mistake with |
|
@jvehent That makes sense! I had similar feeling when I was coding my own version of this feature. We currently use And to be consistent with |
|
Makes sense, can we all agree on —hc-vault so that i can make the change today?
… On 9 Aug 2019, at 15:11, KUOKA Yusuke ***@***.***> wrote:
@jvehent That makes sense! I had similar feeling when I was coding my own version of this feature.
We currently use --azure-kv for Azure KeyVault. If we exactly follow that, we can name it --hashicorp-v, but this doesn't make sense of course. --hashicorp-vault seems a bit verbose and inconsistent with others.
And to be consistent with --gcp-kms and --azure-kv, I think --kebab-case might be better. So how about --hc-vault?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
That seems fine to me. I'll do a full review next week, probably on Monday. |
|
+1 for |
|
This weekend I wasn’t able to make the desired changes and I’m leaving for 2 weeks on vacations.
I’ll be able to make those changes right away once I come back
… On Aug 9, 2019, at 20:21, Julien Vehent [:ulfr] ***@***.***> wrote:
+1 for --hc-vault
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#507>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFFQIVHZRFYDGN5ACUULSWDQDWYUDANCNFSM4IKB7OOQ>.
|
vault/keysource_test.go
Outdated
| } | ||
|
|
||
| // pulls an image, creates a container based on it and runs it | ||
| resource, err := pool.Run("vault", "1.1.3", []string{"VAULT_DEV_ROOT_TOKEN_ID=secret"}) |
There was a problem hiding this comment.
I think I like this. We should probably do it for our other vault tests too
| // This is simply copied from GCPKMS | ||
| // TODO: handle key rotation on vault side | ||
| func (key *MasterKey) NeedsRotation() bool { | ||
| //TODO: manage rewrapping https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data |
There was a problem hiding this comment.
That's interesting! I think it'd require changes to the MasterKey interface to make it useful, but it's good to know that there's encryption backends that allow this.
|
As to not duplicate effort, once autrilla's code review is addressed I'll dive into a review. Thanks for this awesome contribution @gitirabassi! |
|
@gitirabassi I'm still looking forward to make this happen. Please let me know if you need any help 😃 |
initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load
fix(doc): fix rst formatting" fix(doc): fix rst formatting
feat(cli): moved vault to hc-vault naming
|
@ajvb Now that autrilla's code review is addressed, would you mind reviewing this? 😃 |
There was a problem hiding this comment.
This is looking awesome @gitirabassi ! Thank you again for this PR.
One piece I mentioned is make sure there are functional tests for the cli. You can run them locally with make functional-tests and they are written in Rust here - https://github.com/mozilla/sops/blob/master/functional-tests/src/lib.rs. If you'd like to take a crack at adding one, that would be great! If not, no worries, I would be happy to add some as a follow-up.
| Cluster ID e532e461-e8f0-1352-8a41-fc7c11096908 | ||
| HA Enabled false | ||
|
|
||
| $ # We need to enable a transit engine if not already done (I prefer to create a transit engine specifically for sops, in which I can have multiple keys with various permission levels) |
There was a problem hiding this comment.
I prefer... - Let's change this from first person to more directional, i.e. It is suggested to..., etc
| HA Enabled false | ||
|
|
||
| $ # We need to enable a transit engine if not already done (I prefer to create a transit engine specifically for sops, in which I can have multiple keys with various permission levels) | ||
| $ vault secrets enable -path=sops transit |
There was a problem hiding this comment.
What does the error message look like if HC vault is not configured properly before trying to use it? Is the error message passed down to the user?
| } | ||
|
|
||
| // pulls an image, creates a container based on it and runs it | ||
| resource, err := pool.Run("vault", "1.2.2", []string{"VAULT_DEV_ROOT_TOKEN_ID=secret"}) |
There was a problem hiding this comment.
This is pretty awesome imo, but we might want to change this. In the develop branch, we currently are running vault within Travis CI (https://github.com/mozilla/sops/blob/develop/.travis.yml#L22-L24). This is currently only being used for functional tests (which we should also consider adding either in this PR or in a follow-up), but no reason it can't be used and required for unit tests. @autrilla do you agree?
There was a problem hiding this comment.
I don't think it's great to require people to install Vault to run unit tests. Personally I feel it's better to have the tests pull down any required dependencies if possible -- if we could, we should probably make the functional tests set up a temporary Vault instance as well, so users don't have to worry about their environment.
| } | ||
| log.Debugf("Path: %v \nValues: %v\n", fullPath, values) | ||
| if values[0] != "v1" { | ||
| return "", "", fmt.Errorf("probably forgot v1 in the URI") |
There was a problem hiding this comment.
I'd consider making this more generic and similar to the len() check: Vault path does not seem to be formatted correctly (eg. https://vault.example.com:8200/v1/transit/keys/keyName)
| values := strings.Split(fullPath, "/") | ||
| // minimum length should be 4 "v1", "transit", "keys", "keyName" | ||
| if len(values) < 4 { | ||
| return "", "", fmt.Errorf("The path to the key is not long enough: (eg. https://vault.example.com:8200/v1/transit/keys/keyName") |
There was a problem hiding this comment.
missing a closing ) in the string.
| return "", "", fmt.Errorf("probably forgot v1 in the URI") | ||
| } | ||
| if values[len(values)-2] != "keys" { | ||
| return "", "", fmt.Errorf("probably forgot 'keys' in the URI") |
There was a problem hiding this comment.
Same here in regards to making the error message more generic.
| return nil, err | ||
| } | ||
| if u.Scheme == "" { | ||
| return nil, fmt.Errorf("missing scheme in vault URL (should be like this: https://vault.example.com:8200/v1/transit/keys/keyName, got: %v", uri) |
| "github.com/ory/dockertest" | ||
| "github.com/stretchr/testify/assert" | ||
| ) | ||
|
|
There was a problem hiding this comment.
These tests look great, but it would be nice to see some failure test cases. What happens if the vault address is incorrect? Of the path? etc.
| @@ -0,0 +1,272 @@ | |||
| package vault | |||
There was a problem hiding this comment.
I believe it would be worth renaming this package to hcvault to bring it into alignment with the CLI and from our learned lesson on having kms and gcpkms packages.
|
Is it planned to merge it ? Because without this merge, it's impossible to use sops for internal use (no cloud) |
Well, if the review comments are addressed, yes. Since this seems somewhat stale, feel free to open a new PR based on this branch addressing all the comments and resolving merge conflicts. |
|
@gitirabassi Hi! Might you have a chance to pick this up again? Would be awesome to see this merged! |
|
I'm hoping to get this done by the end of the month |
|
I added a PR based on this one an tried to fix the points from the review: #623 |
|
Awesome, thank you! |
|
This can be closed now that #655 has been merged. |
No description provided.