External Secret Storage Implementation #85
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pradithya
changed the title
added 2 commits
May 4, 2023 17:35
added 17 commits
May 9, 2023 11:08
krithika369
approved these changes
May 23, 2023
This was referenced May 23, 2023
|
Based on the video user can sees existing value in secret. I'm not sure that's a good idea, since in our case the mlp administrator also can see the secret that user defined |
2 tasks
Updated the secret data text box to use |
pradithya
added a commit
to caraml-dev/merlin
that referenced
this pull request
May 25, 2023
**What this PR does / why we need it**: MLP's Secret API removes the application-level encryption when [returning the secret data](caraml-dev/mlp#85). Moving forward, we'll rely on TLS to secure the secrets while in transit. This PR updates the MLP client used by Merlin and removes the decryption process when retrieving a secret from MLP. **Which issue(s) this PR fixes**: <!-- *Automatically closes linked issue when PR is merged. Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`. --> **Does this PR introduce a user-facing change?**: <!-- If no, just write "NONE" in the release-note block below. If yes, a release note is required. Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required". For more information about release notes, see kubernetes' guide here: http://git.k8s.io/community/contributors/guide/release-notes.md --> ```release-note ``` **Checklist** - [x] Tested in dev environment with MLP version caraml-dev/mlp#85 - [N.A.] Added unit test, integration, and/or e2e tests - [N.A.] Updated documentation - [N.A.] Update Swagger spec if the PR introduce API changes - [N.A.] Regenerated Golang and Python client if the PR introduce API changes --------- Co-authored-by: Pradithya Aria <pradithya.pura@go-jek.com>
tiopramayudi
approved these changes
May 25, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The PR implements the ability for storing secrets in external storage.
The main changes are as follows:
Add Secret Storage Resource
Secret Storage is a resource representing the abstraction for storing secrets. There are 2 types of secret storage implemented:
internalandvault. Aninternalsecret storage will store its secret values in thedatacolumn of thesecretstable. On the other hand,vaultsecret storage will not populate the column, but instead, store the secret in the corresponding vault instance specified in theVaultConfig.Allow Users to Choose Secret Storage when Creating Secrets
When creating a secret, users can choose the secret storage to be used. If the secret storage is not specified, it will be stored in the default secret storage that's being configured in the MLP deployment.
Note that secret migration is handled and will be triggered if the secret storage is modified.
Screen.Recording.2023-05-24.at.10.27.35.PM.mov
Secret Migration from Previous MLP API Version
Existing secrets will be migrated to the
internalsecret storage during the DB migration. To migrate to different secret storage we can send updated secret and specify the new secret storage.Breaking Changes 🔥
Previous secret APIs implementation encrypts secret data during transfer and when storing it in DB. This behavior is removed and we'll rely on TLS to secure the secret transmission. In order to handle this we'll have to decrypt all the secrets and update the secret value when performing the migration to new secret storage.
Minor Improvements
make it-test-apifor both testing in CI and locally.make local-envto setup all necessary local dependenciesstoragepackage torepositoryso that it won't get confused with Secret Storagevaultcode for retrieving cluster secrets