-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option from datakey to be provided from existing secret #183
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @dan-transmit,
Thank you so much for your PR! I took an initial review pass and it looks great overall. I left a couple of comments for you to address, and we'll try to get this fully reviewed in the next few days.
Thank you!
conjur-oss/values.yaml
Outdated
@@ -7,7 +7,7 @@ | |||
# rather than setting these in a custom values YAML file. This avoids the | |||
# risk of leaving around residual values files containing this sensitive | |||
# information. | |||
|
|||
dataKeySecretRef: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The linter is failing here. I think this needs to default to an empty string instead of null.
conjur-oss/values.schema.json
Outdated
"required": [ | ||
"dataKey" | ||
], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to require exactly one of [dataKey, dataKeySecretRef]. This can be accomplished with syntax like this:
"oneOf": [
{
"required": [
"dataKey"
]
},
{
"required": [
"dataKeySecretRef"
]
},
See the JSON Schema reference for more details.
conjur-oss/values.yaml
Outdated
@@ -7,6 +7,7 @@ | |||
# rather than setting these in a custom values YAML file. This avoids the | |||
# risk of leaving around residual values files containing this sensitive | |||
# information. | |||
dataKeySecretRef: "conjur-data-key" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should default to an empty string. That way if it's not explicitly provided it will fail validation. With this default, I think it would succeed initially and then fail when it couldn't find this secret, which would lead to a confusing error message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, it fails because two of the values are provided, so I'll just remove it altogether
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking amazing. Do you time to add a test case to test.sh?
Writing a test would mean to create a whole new setup (it's not like the current script has a reusable interface). |
That's true. Ideally we'd refactor the tests to make it easier to have multiple test cases. If this isn't something you're interested in doing I totally understand, we just can't merge it without tests. I'm fine to put this on hold for a bit until we can do that internally if that's ok with you. |
Desired Outcome
The secret doesn't show in the helm values
Implemented Changes
Allow to use existing secrets in the cluster
Connected Issue/Story
Resolves #[relevant GitHub issue(s), e.g. 76]
CyberArk internal issue ID: [insert issue ID]
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be
merged.
Changelog
CHANGELOG update
Test coverage
changes, or
Documentation
README
s) were updated in this PRBehavior
Security