Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: override secrets from path #204

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: override secrets from path #204

wants to merge 3 commits into from

Conversation

csatib02
Copy link
Member

@csatib02 csatib02 commented Jul 30, 2024
edited
Loading

Overview

  • Fixes an issue, with seeing multiple secrets with the same key.

Fixes #202

Notes for reviewers

Functionality is manually tested with the following script:

# Set the Vault address
export VAULT_ADDR="http://127.0.0.1:8200"

# Set the Vault token
export VAULT_TOKEN=227e1cce-6bf7-30bb-2d2a-acc854318caf

# Set secret env-var
export MYSQL_PASSWORD=vault:secret/data/test/mysql#MYSQL_PASSWORD
export AWS_SECRET_ACCESS_KEY=vault:secret/data/test/aws#AWS_SECRET_ACCESS_KEY
export AWS_ACCESS_KEY_ID=vault:secret/data/test/aws#AWS_ACCESS_KEY_ID

export VAULT_FROM_PATH=secret/data/test/aws

# Run secret-init
go build
./secret-init env | grep 'MYSQL_PASSWORD\|AWS_SECRET_ACCESS_KEY\|AWS_ACCESS_KEY_ID'
rm secret-init
image

@csatib02
feat: make env selection flow through providers
02fe6f7 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02
chore: change bao image to latest
c95f3f0 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02
fix: override secrets coming from VAULT_FROM_PATH or BAO_FROM_PATH
d3bd7f3 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02 csatib02 requested a review from a team as a code owner July 30, 2024 11:53
@csatib02 csatib02 requested review from ramizpolic, sagikazarmark and akijakya and removed request for a team July 30, 2024 11:53
@csatib02 csatib02 self-assigned this Jul 30, 2024
@csatib02 csatib02 added the kind/bug Categorizes issue or PR as related to a bug. label Jul 30, 2024
@github-actions github-actions bot added the size/L Denotes a PR that changes 500-999 lines label Jul 30, 2024
@csatib02 csatib02 changed the base branch from main to feat/secret-selection-done-on-provider-level July 30, 2024 11:54
@csatib02 csatib02 changed the title Feat/override secrets from path fix: override secrets from path Jul 30, 2024
@csatib02 csatib02 changed the base branch from feat/secret-selection-done-on-provider-level to main July 30, 2024 11:55
@csatib02 csatib02 changed the base branch from main to feat/secret-selection-done-on-provider-level July 30, 2024 12:16
@csatib02 csatib02 changed the base branch from feat/secret-selection-done-on-provider-level to main July 30, 2024 12:16
ramizpolic
ramizpolic requested changes Aug 21, 2024
View reviewed changes
pkg/provider/provider.go Show resolved Hide resolved
pkg/provider/vault/vault.go Show resolved Hide resolved
env_store.go
Comment on lines +35 to 42
var ProviderTypes = []provider.Provider{
&file.Provider{},
&vault.Provider{},
&bao.Provider{},
&aws.Provider{},
&gcp.Provider{},
&azure.Provider{},
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can register provider factories here and create them elsewhere

Suggested change
var ProviderTypes = []provider.Provider{
&file.Provider{},
&vault.Provider{},
&bao.Provider{},
&aws.Provider{},
&gcp.Provider{},
&azure.Provider{},
}
var factories = []provider.ProviderFactory{
file.NewProvider,
vault.NewProvider,
// and the rest
}

since all provider operations are handled through env store, we can create providers there on demand in store constructor, for example

type EnvStore struct {
	data      map[string]string
	providers []provider.Provider
}

func NewEnvStore(ctx context.Context, config *common.Config) *EnvStore {
	// load env data
	environ := make(map[string]string, len(os.Environ()))
	for _, env := range os.Environ() {
		split := strings.SplitN(env, "=", 2)
		name := split[0]
		value := split[1]
		environ[name] = value
	}

	// create providers
	var providers []provider.Provider
	for _, factory := range factories {
		p, err := factory(ctx, config)
		if err != nil {
			return nil, fmt.Errorf("failed to create provider from factory: %w", err)
		}

		providers = append(providers, p)
	}

	return &EnvStore{
		data:      environ,
		providers: providers,
	}
}

You can now simply use provider slice to streamline all operations (including parallelization ops)

env_store.go
// Remove the vault paths since they have been processed
delete(providerPaths, vault.ProviderName)
providerSecrets = append(providerSecrets, vaultSecrets...)
delete(providerPaths, "vault")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you need to use the specific provider type, id suggest to keep using the exposed consts (in this case, vault.ProviderName, or vault.ProviderType for usage clarity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramizpolic ramizpolic ramizpolic requested changes

@sagikazarmark sagikazarmark Awaiting requested review from sagikazarmark

@akijakya akijakya Awaiting requested review from akijakya

Requested changes must be addressed to merge this pull request.

Assignees

@csatib02 csatib02

Labels
kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 500-999 lines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secrets retrieved via vault-env-from-path annotation should override the environment variable
2 participants
@csatib02 @ramizpolic