-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove hashicorp kms libraries from trusted resources #6405
remove hashicorp kms libraries from trusted resources #6405
Conversation
Skipping CI for Draft Pull Request. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all |
This commit removes hashicorp kms libraries to unblock other tekton developers, details in tektoncd#6015. In tep-91 we pulled in hashicorp kms libraries, and by running hack/update-codegen.sh it will copy the code into third_party directory. This will cause failures to ci jobs since it uses internal pkg. This is a short term solution to unblock other pipeline developers. Long term goal is to exclude checking third_party in our ci. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
0a4c2b3
to
f64cc1b
Compare
thanks @Yongxuanzhang -- what's the expected impact of not supporting hashivault for trusted resources? Will this be added back in later? |
Currently we support loading kms from azure, aws, gcp and hashivault, so this means we will remove hashivault from our supported kms libraries. |
I'd like to unblock #6342 and this sounds reasonable to me, but I don't love the idea of removing a feature we plan to add back later. Can anyone from the security wg comment on whether this is the right way to go or whether it makes sense to address the issue with hashicorp libraries directly? Also, it seems like the problem described in #6015 isn't that we run unit tests on code in third_party; it seems like the problem is that there are security vulnerabilities detected by CodeQL. Maybe this is a signal that we should not import this library until the vulnerabilities are resolved? |
Yes that's a good suggestion. I will bring this up tobthe wg and see if there are other ways. Vulnerabilities from CodeQL are just part of the problem iirc. Their libraries will fail the unit tests since we run go test./... |
Thanks!
I'm not seeing the unit test failures you're describing, can you point me to an example? Unit tests pass in #6342 |
Ah, maybe it is fixed? Let me take a look |
Oh indeed! This these libraries are not blocking unit tests/build tests anymore, maybe they have fixed it upstream. |
no need to remove it since we have removed third_party in #6416 |
Changes
This commit removes hashicorp kms libraries to unblock other tekton developers, details in #6015. In tep-91 we pulled in hashicorp kms libraries, and by running hack/update-codegen.sh it will copy the code into third_party directory. This will cause failures to ci jobs since it uses internal pkg. This is a short term solution to unblock other pipeline developers. Long term goal is to exclude checking third_party in our ci.
/kind misc
Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
/kind <type>
. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes