Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Added ability to parse keyvalue as an azure keyvault ID #50

Merged
merged 3 commits into from
Dec 13, 2022
Merged

feat: Added ability to parse keyvalue as an azure keyvault ID #50

merged 3 commits into from
Dec 13, 2022

Conversation

sgettys
Copy link

@sgettys sgettys commented Dec 9, 2022

Signed-off-by: Steven Gettys s.gettys@f5.com

feat: Added ability to parse keyvalue as an azure keyvault ID to supp…
581d19b 
…ort lookups across multiple keyvaults

Signed-off-by: Steven Gettys <s.gettys@f5.com>
@sgettys
Copy link
Author

sgettys commented Dec 9, 2022
edited

What does this change

This adds the ability for the azure key vault secrets plugin to resolve secrets when the secret keyValue is specified as the secret ID instead of just the secret name. The following behavior was added

  • Given: A porter config that specifies azure.keyvault and has a key vault name defined in the config
    • When: A credential set has the source set to "secret"
    • And: The value specified in that field is a full azure key vault secret ID
      • Then: The secrets plugin will attempt to fetch that secret using the values from key vault URL, secret name, and version that is parsed from that ID

The new plugin behavior does not break backwards compatibility. It will check that the provided secret keyValue can be parsed as a secret ID. If it can then it attempts to fetch that based on the values it parsed. If it fails then it will fallback to attempting to read it as the secret name in the configured key vault. Only after it has failed both attempts to resolve the secret will the plugin fail

What issue does it fix

Closes #49

Checklist

  • Did you write tests?
  • Did you write documentation?
  • Did you perform integration tests?

carolynvs
carolynvs reviewed Dec 12, 2022
View reviewed changes
Copy link
Member

@carolynvs carolynvs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great. I didn't see any problems so just let me know when you'd like a full review.

pkg/azure/keyvault/store.go Outdated Show resolved Hide resolved
chore: Updated docs and fixed comment
72b21cf 
Signed-off-by: Steven Gettys <s.gettys@f5.com>
@sgettys
Copy link
Author

sgettys commented Dec 13, 2022
edited

Tested with a mix of secret names and secret IDs in both the keyvault configured for the plugin as well as a separate keyvault that the user running porter has access to. Able to resolve all combinations of secret names and IDs.

Example porter config:

default-secrets: keyvault
secrets:
  - name: "keyvault"
    plugin: "azure.keyvault"
    config:
      vault: "test-kv-1"

Example credential set:

schemaVersion: 1.0.1
name: test-credset
credentials:
  - name: secret_one
    source:
      secret: https://test-kv-1.vault.azure.net/secrets/secret-one/abc123
  - name: secret_two
    source:
      secret: https://test-kv-2.vault.azure.net/secrets/secret-two
  - name: secret_three
    source:
      secret: secret-three
  - name: secret_four
    source:
      secret: https://test-kv-2.vault.azure.net/secrets/secret-four/abc123

@sgettys sgettys changed the title WIP feat: Added ability to parse keyvalue as an azure keyvault ID feat: Added ability to parse keyvalue as an azure keyvault ID Dec 13, 2022
carolynvs
carolynvs approved these changes Dec 13, 2022
View reviewed changes
README.md Outdated Show resolved Hide resolved
chore: Fixed typo
077dd80 
Signed-off-by: Steven Gettys <s.gettys@f5.com>
@carolynvs carolynvs merged commit 63869fc into getporter:main Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carolynvs carolynvs carolynvs approved these changes

@vdice vdice Awaiting requested review from vdice

@simongdavies simongdavies Awaiting requested review from simongdavies simongdavies is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sgettys @carolynvs