Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[workbench] support Sealed Secrets #384

Merged
merged 9 commits into from Jun 21, 2023
Merged

[workbench] support Sealed Secrets #384

merged 9 commits into from Jun 21, 2023

Conversation

wmcdona89
Copy link
Contributor

Fixes #374

Support Sealed Secrets in the rstudio/workbench chart to allow for storing secrets in SCM and to ensure secrets are never leaked via helm.

Changes

  • adds SealedSecret templates alongside existing Secret templates in the configmap-secret and configmap-session template files
  • adds a feature flag to enable the use of SealedSecret templates instead of Secret templates to deploy secrets
  • config.secret."database.conf" now defaults to null instead of {} to allow it to be set to a string

Sample values

sealedSecret:
  enabled: true
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"

config:
  secret:
    secret.conf: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

  sessionSecret:
    odbc.ini: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==
  
  userProvisioning:
    user.conf: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

global:
  secureCookieKey: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

launcherPem: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

Design Considerations

Separate SealedSecret and Secret templates in a single helm template file is proposed over...

  • using fine-grained if/else conditions to render either SealedSecret values or Secret values as the SealedSecret and Secret templates have a number of syntax differences and this approach would arguably make the helm template file less readable. For example:
{{- if .Values.sealedSecret.enabled -}}
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
{{- else }}
apiVersion: v1
kind: Secret
{{- end }}
...
{{- if .Values.sealedSecret.enabled -}}
spec:
  encryptedData:
{{- else }}
stringData:
{{- end }}
  • placing SealedSecret templates and Secret templates in separate helm template files. The SealedSecret templates will need to stay in sync with the Secret templates to some extent and the templates are small enough to manage together in a single file. While separate files would allow for a file diff, the relationship between the files may not be obvious.

colearendt
colearendt reviewed Jun 7, 2023
View reviewed changes
Copy link
Member

@colearendt colearendt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this! It looks awesome! I'll try to get a chance to play with this in the next few days so we can get it merged 😄

charts/rstudio-workbench/templates/configmap-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: {{ include "rstudio-workbench.fullname" . }}-secret
namespace: {{ $.Release.Namespace }}
stringData:
{{ include "rstudio-library.config.ini" .Values.config.secret | indent 2 }}
{{- include "rstudio-library.config.ini" .Values.config.secret | nindent 2 }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing these!

charts/rstudio-workbench/README.md.gotmpl
@@ -318,6 +318,19 @@ config:
- "two-image:tag
```

## Sealed Secrets
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the thorough explanation!

@CLAassistant
Copy link

CLAassistant commented Jun 13, 2023
edited

CLA assistant check
All committers have signed the CLA.

@colearendt
Copy link
Member

@wmcdona89 I know it can be a bit tedious - are you up for signing the CLA? It looks like there is a disconnect from the email used for your commits (work) and the one on your GitHub account. Feel free to refactor / rebase / re-author the commits if you want!

Otherwise I think we are good to merge!

@colearendt colearendt merged commit e76687b into rstudio:main Jun 21, 2023
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colearendt colearendt colearendt left review comments

@atheriel atheriel Awaiting requested review from atheriel atheriel is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

support use of SealedSecrets
3 participants
@wmcdona89 @CLAassistant @colearendt