-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets providers API, initial TextFile and EnvironmentVariable provider implementations #887
Conversation
…y-plugin Constant provider, add tests
…stead of python entry_points
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The form does not appear to be presenting on create of a new secret, no matter the . If I create a new environment-variable
new secret, the form doesn't show, but if I use JSON then go to edit the form, I am able to then use the form to update the value.
Good catch! Probably on the last N iterations of working on this I was just working with existing secrets and forgot to test the new-secret flow with the latest code. Will fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Registration comment/concern. Not quite asking for changes just yet, but another area where I'm curious about your line of thinking.
Presumably this is in support of #541, which did initially state that:
In support of the highlighted "device credentials", I was expecting there would be some kind of context and/or accommodations for devices, where a given device would be presented as a configurable parameter as |
The current idea is that rather than having a dynamic parameter in the Secret definition itself, we will provide the ability to associate a specific Secret with a single device or a set of devices (using the config-context pattern). This does mean that if you have a different set of credentials for each device, you will need to create a distinct Secret record per device (rather than a single Secret definition that somehow resolves to a different secret value per device), but in the (hopefully more common) case where you have a shared service account for a whole group of devices, you will be able to create a single Secret and share it across that set of devices. Does this adequately address your concern? |
You are addressing the more common, however, there is certainly examples of per device, I actually had a customer today tell us that the there is a new requirement for the user/pass to be per device. I am not a fan of the config-context pattern, as is a bit of magic that will not be obvious to users. I also think that with the |
Good points, thanks Ken. We should discuss this some more. Need to make sure that any solution we come up with isn't too tightly coupled with Devices specifically (as that was a key shortcoming of the old feature). I'm also hesitant about the usability/painfulness of potentially needing something like a mixture of Jinja2 templating with JSON if we need to have dynamic parameters to the lookup. |
Merging this into the |
… Groups (#868) * Initial model, UI, and REST API for Secrets * Secrets providers API, initial TextFile and EnvironmentVariable provider implementations (#887) * Add Secret.value property, add EnvironmentVariable provider, add dummy-plugin Constant provider, add tests * Add TextFileSecretProvider * Add docs * Improve display of secret providers in the UI * Refactor SecretsProvider registration to use the Nautobot registry instead of python entry_points * Refactor slightly * Add ability for secrets providers to define an HTML form for parameter inputs * Fix default value for JSONField and add error handling in JS * Add username_secret and token_secret support to GitRepository * Docs updates * Review feedback - add description field, etc. * Revise secrets docs; add SecretError exceptions instead of returning None on various failures * One of these days I'll remember to run flake8 before pushing * Review comments * SecretsGroup feature (#1042) * WIP * More WIP * WIP remove SecretType model * Such WIP. Wow * WIP: working secretsgroup-edit UI * More WIP * Change Category/Meaning to Access Type/Secret Type * Add SecretsGroup key to Device model; get tests passing * Add test coverage for REST API and filters * Add SecretsGroup view tests * Linting fixes * Docs updates * Cleanup leftover SecretType cruft * Update nautobot/docs/user-guides/git-data-source.md Co-authored-by: Jathan McCollum <jathan@gmail.com> * Fix egregious issues Co-authored-by: Jathan McCollum <jathan@gmail.com> * Support Jinja2 templating of secret parameters (#1058) * Support Jinja2 templating of secret parameters * Add secrets providers to plugin detail view * Doc updates * Include SecretsGroupAssociation in GraphQL * Move 'Secrets' to a top-level menu * Don't try to sort `SecretsProvider` class objects in plugin config features registry (#1065) * Fix TypeError when trying to sort `SecretsProvider` class objects * Don't sort `secrets_providers` when added to features. * Add release-note content for Secrets * Update nautobot/extras/views.py Co-authored-by: John Anderson <lampwins@gmail.com> * Change FK to SecretsGroup behavior to SET_NULL * Use render_jinja2() in rendered_parameters() Co-authored-by: Jathan McCollum <jathan@gmail.com> Co-authored-by: John Anderson <lampwins@gmail.com>
Fixes: #
Secret
classSecretsProvider
abstract base class defining the interface for retrieving a specific secret from a specific secrets providerEnvironmentVariableSecretsProvider
andTextFileSecretsProvider
concrete implementationsSecret.value
property now retrieves the value from the specifiedSecretsProvider
with the specifiedparameters
SecretsProvider
subclassesConstantValueSecretsProvider
SecretsProvider
classes can now provide aParametersForm
that will be displayed as an alternative to the JSON text fieldParametersForm
when selecting or changing providersTODO:
EnvironmentVariableSecretsProvider
andTextFileSecretsProvider
to reduce potential security risks of allowing a user to access environment variables or filesystem files that they shouldn't actually be permitted to access.