Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certhandler secrets vault #87

Merged
merged 22 commits into from
May 2, 2024
Merged

Certhandler secrets vault #87

merged 22 commits into from
May 2, 2024

Conversation

PietroPasotti
Copy link
Contributor

@PietroPasotti PietroPasotti commented May 1, 2024
edited
Loading

Issue

certhandler is overly complicated, storing public data in too many juju secrets

Solution

  • remove two of the three secrets, only store the privkey in a secret and retrieve csr and chain as needed from the relation data
  • instead of storing secret ids in relation databags, rely on hardcoded secret labels to always know what secret to pick
  • generate privkey on-demand and use the secret storage to persist and verify if we've generated it already
  • automatically detect if juju supports secrets, and if not fall back to a 'peers' peer-relation backed storage solution for the private key (as plaintext).
  • automatically migrate from peer to secrets- backend if on charm-upgrade we obtain access to secrets

Testing Instructions

A good test would be:

  • deploy cos-lite
  • jhack sync the lib to all charms who use it
  • deploy self-signed certs and imatrix fill

Tandem pr: canonical/traefik-k8s-operator#346

@sed-i
Copy link
Contributor

sed-i commented May 1, 2024

Great @PietroPasotti.
Can you link to the tandem PR?

PietroPasotti and others added 11 commits May 2, 2024 10:28
@PietroPasotti PietroPasotti mentioned this pull request May 2, 2024
Closed
@PietroPasotti
Copy link
Contributor Author

@sed-i tandem pr: canonical/traefik-k8s-operator#346

@PietroPasotti
Copy link
Contributor Author

PietroPasotti commented May 2, 2024
edited
Loading

Traefik's TLS itests passed AKA failed but for the wrong reasons. Merging away.

@PietroPasotti PietroPasotti merged commit 5955136 into main May 2, 2024
13 checks passed
@PietroPasotti PietroPasotti deleted the certhandler-secrets-vault branch May 2, 2024 15:01
@sed-i
Copy link
Contributor

sed-i commented May 2, 2024
edited
Loading

Traefik's TLS itests passed AKA failed but for the wrong reasons. Merging away.

The linked itests are loki, not traefik. Traefik's itest failed for something that looks relevant:
https://github.com/canonical/traefik-k8s-operator/actions/runs/8925027611/job/24512805931?pr=346#step:6:1131

Scratch that, it's forward_auth that failed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sed-i sed-i sed-i left review comments

@Abuelodelanada Abuelodelanada Abuelodelanada approved these changes

@dstathis dstathis Awaiting requested review from dstathis

@IbraAoad IbraAoad Awaiting requested review from IbraAoad

@lucabello lucabello Awaiting requested review from lucabello

@mmkay mmkay Awaiting requested review from mmkay

@simskij simskij Awaiting requested review from simskij

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PietroPasotti @sed-i @Abuelodelanada