Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kms: AWS SDK V2, allow creds config, add tests #1065

Merged
merged 3 commits into from
Jun 27, 2022
Merged

kms: AWS SDK V2, allow creds config, add tests #1065

merged 3 commits into from
Jun 27, 2022

Conversation

hiddeco
Copy link
Member

@hiddeco hiddeco commented May 28, 2022

This updates the AWS SDK for Go to V2, adds extensive test coverage
based on a mocking server, and a general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.

  • AWS SDK has been updated to V2. There are still bits in publish/
    which would need updating to drop the dependency on V1.
    Patched
    in d2ce37d.
  • It introduces a CredentialsProvider type which holds an
    aws.CredentialProvider, and can be applied to the MasterKey.
    When applied, the provider is used in the AWS client configuration
    instead of relying on the SDK default (environmental) values.
    This is most useful when working with SOPS as an SDK, in combination
    with e.g. a local key service server implementation.
  • Extensive test coverage. STS session implementation details are not
    tested due to mocking complexities, but the wiring is.

The forked version of this has compatibility tests to ensure it works
with current SOPS:

@hiddeco hiddeco marked this pull request as ready for review May 28, 2022 09:55
@hiddeco hiddeco requested a review from ajvb May 30, 2022 14:18
Copy link
Contributor

@ajvb ajvb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two small comments, but this looks awesome.

@hiddeco we can chat outside of this PR as well, but I wanted to ask if there was any other changes you'd like into v3.8? I'm thinking that once this PR is in I can get a draft release ready and get some user testing here at Mozilla, especially as it relates to the AWS and PGP changes.

kms/mocks/KMSAPI.go Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
@hiddeco
Copy link
Member Author

hiddeco commented Jun 6, 2022

@ajvb we literally have a fork for every key source implementation, so there are two to go (GCP KMS and HC Vault).

I hope to be contributing them early next week, as today was a national holiday here, and I am off from Wednesday – Sunday this week for tattoos and other fun stuff.

Given this, could we aim to cut end of next week? I am fine with e.g. release candidates going out in the meantime.

hiddeco and others added 3 commits June 6, 2022 23:14
This updates the AWS SDK for Go to V2, adds extensive test coverage
based on a mocking server, and a general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.

- AWS SDK has been updated to V2. There are still bits in `publish/`
  which would need updating to drop the dependency on V1.
- It introduces a `CredentialsProvider` type which holds an
  `aws.CredentialsProvider`, and can be applied to the `MasterKey`.
  When applied, the provider is used in the AWS client configuration
  instead of relying on the SDK default (environmental) values.
  This is most useful when working with SOPS as an SDK, in combination
  with e.g. a local key service server implementation.
- Extensive test coverage. STS session implementation details are not
  tested due to mocking complexities, but the wiring is.

The forked version of this has compatibility tests to ensure it works
with current SOPS:

- https://github.com/fluxcd/kustomize-controller/blob/8b7e7ecb1aea34a7a14ebed159bf0f2fc1f2f7f3/internal/sops/awskms/keysource_test.go#L134
- https://github.com/fluxcd/kustomize-controller/blob/8b7e7ecb1aea34a7a14ebed159bf0f2fc1f2f7f3/internal/sops/awskms/keysource_test.go#L200

Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This was only required for the test mocks for the V1 AWS SDK tests,
which have been removed with the rewrite to V2.

Signed-off-by: Hidde Beydals <hello@hidde.co>
@ajvb ajvb merged commit 8c5c397 into getsops:develop Jun 27, 2022
@hiddeco hiddeco deleted the kms-keysource-imprv branch June 27, 2022 18:22
@hiddeco hiddeco added this to the v3.8.0 milestone Jul 3, 2023
@benley benley mentioned this pull request Oct 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants