Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add OpenBao as key provider for state encryption #1436

Merged
merged 22 commits into from
Apr 8, 2024
Merged

add OpenBao as key provider for state encryption #1436

merged 22 commits into from
Apr 8, 2024

Conversation

ollevche
Copy link
Member

@ollevche ollevche commented Mar 26, 2024
edited

Description

This PR adds a new key provider implementation backed by OpenBao (part of #1174).

The implementation is based on Transit Secret Engine: GenerateDataKey and Decrypt API endpoints.

Documentation will be added as another PR. Here is how user-facing key_provider block looks like:

key_provider "openbao" "my_bao" {
    # Required
    key_name = "test-key"

    # Optional, could be set as BAO_TOKEN env variable
    token = "s.dummytoken"
    
    # Optional, could be set as BAO_ADDR env variable
    address = "http://127.0.0.1:8200"
    
    # Optional, allows different Transit Engine mount paths
    transit_engine_path = "/my-org/transit"

    # Optional, default value is 32 bytes
    key_length = 16
}

I tested it manually and ran compliance tests against OpenBao, Vault, and internal mock.

Update

  • data_key_bit_size (bits) changed to key_length (bytes)
  • add transit_engine_path field

Target Release

1.7.0

@ollevche
add basic implementation of openbao key provider
d1a6b63 
Signed-off-by: ollevche <ollevche@gmail.com>
@github-actions GitHub Actions
Copy link

Reminder for the PR assignee: If this is a user-visible change, please update the changelog as part of the PR.

@ollevche
go mod tidy
977f2e5 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
remove redundant struct
649639c 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
add client injection and dataKeyBitSize
36f2d35 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
add minor improvements
50334eb 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
add compliance tests
c4a859e 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
Merge remote-tracking branch 'origin' into openbao-keyprovider
b464695 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
fix typos
4423294 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche ollevche marked this pull request as ready for review March 27, 2024 16:12
@ollevche ollevche requested a review from a team as a code owner March 27, 2024 16:12
@ollevche
change data_key_bit_size to key_length (bytes)
4d09d69 
Signed-off-by: ollevche <ollevche@gmail.com>
cam72cam
cam72cam previously approved these changes Mar 29, 2024
View reviewed changes
siddharthasonker95
siddharthasonker95 previously approved these changes Mar 29, 2024
View reviewed changes
Copy link
Contributor

@siddharthasonker95 siddharthasonker95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cube2222
cube2222 previously approved these changes Mar 29, 2024
View reviewed changes
Copy link
Collaborator

@cube2222 cube2222 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice one!

I'd like for Janos to have a final look at this before merging, please.

janosdebugs
janosdebugs previously approved these changes Apr 2, 2024
View reviewed changes
Copy link
Contributor

@janosdebugs janosdebugs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, just lots of tiny nit-picks! Thanks for this!

internal/encryption/keyprovider/openbao/client.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/client.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/client.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/client.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/client.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/config.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/config.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/config.go Outdated Show resolved Hide resolved
internal/encryption/keyprovider/openbao/mock_test.go Show resolved Hide resolved
internal/encryption/keyprovider/openbao/provider.go Outdated Show resolved Hide resolved
@ollevche
simplify bao client by using WriteWithContext
d628ce6 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
make default client constructor reusable
f460dfa 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
add clean up to compliance test
7021c8d 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
add TF_ACC_ prefix to env vars for tests
3ec55f2 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
slightly improve error messages
bc2c668 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
introduce DataKeyLength type
033bddb 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
add key name escaping to bao client
6bc13d5 
Signed-off-by: ollevche <ollevche@gmail.com>
janosdebugs
janosdebugs previously approved these changes Apr 2, 2024
View reviewed changes
Copy link
Contributor

@janosdebugs janosdebugs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for all the fixes!

internal/encryption/keyprovider/openbao/config.go Show resolved Hide resolved
internal/encryption/keyprovider/openbao/provider.go Show resolved Hide resolved
@ollevche
add open bao key provider to docs
728db10 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
Copy link
Member Author

ollevche commented Apr 3, 2024
edited

Note: we need to update the links in docs once the OpenBao website is up and running.

Created an issue in OpenBao: openbao/openbao#262

@ollevche
allow transit engine path configuration
d407bca 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
make token optional to support OpenBao Proxy
e710e8f 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
update docs
b18ff5e 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche
merge with main
3580fba 
Signed-off-by: ollevche <ollevche@gmail.com>
cipherboy
cipherboy approved these changes Apr 4, 2024
View reviewed changes
Copy link

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think my comments about key and paths are worth holding up this PR over, looks good @ollevche! Looking forward to this feature and thanks for the collaboration :-D

@Yantrio Yantrio merged commit e1e1829 into main Apr 8, 2024
14 checks passed
@Yantrio Yantrio deleted the openbao-keyprovider branch April 8, 2024 12:38
bunniseng pushed a commit to bunniseng/opentofu that referenced this pull request Apr 8, 2024
@ollevche @bunniseng
add OpenBao as key provider for state encryption (opentofu#1436)
b1da30f 
Signed-off-by: ollevche <ollevche@gmail.com>
@ollevche ollevche mentioned this pull request Apr 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy cipherboy approved these changes

@janosdebugs janosdebugs janosdebugs approved these changes

@cube2222 cube2222 cube2222 left review comments

@siddharthasonker95 siddharthasonker95 siddharthasonker95 left review comments

@cam72cam cam72cam Awaiting requested review from cam72cam

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@ollevche @cam72cam @cipherboy @cube2222 @janosdebugs @siddharthasonker95 @Yantrio