remote.vault: introduce component to retrieve secrets from Vault #3428
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rfratto
commented
Apr 3, 2023
rfratto
commented
Apr 4, 2023
rfratto
commented
Apr 10, 2023
rfratto
commented
Apr 10, 2023
rfratto
force-pushed
the
remote.vault
branch
4 times, most recently
from
949c053 to
0303314
Compare
The remote.vault component retrieves secrets from Vault.
Add end-to-end tests using testcontainers-go. This required a lot of (unfortunate) go.mod trickery.
This reverts commit d42c71c.
rfratto
changed the title
rfratto
commented
Apr 29, 2023
Comment on lines
+14
to
+22
| k3d_client "github.com/k3d-io/k3d/v5/pkg/client" | ||
| config "github.com/k3d-io/k3d/v5/pkg/config" | ||
| k3d_cfgtypes "github.com/k3d-io/k3d/v5/pkg/config/types" | ||
| k3d_config "github.com/k3d-io/k3d/v5/pkg/config/v1alpha4" | ||
| k3d_log "github.com/k3d-io/k3d/v5/pkg/logger" | ||
| k3d_runtime "github.com/k3d-io/k3d/v5/pkg/runtimes" | ||
| k3d_docker "github.com/k3d-io/k3d/v5/pkg/runtimes/docker" | ||
| k3d_types "github.com/k3d-io/k3d/v5/pkg/types" | ||
| k3d_version "github.com/k3d-io/k3d/v5/version" |
There was a problem hiding this comment.
These had to be updated to sort out dependency hell 😬
tpaschalis
reviewed
May 4, 2023
| } | ||
|
|
||
| // AuthAWS authenticates against Vault with AWS. | ||
| type AuthAWS struct { |
There was a problem hiding this comment.
Seems that upstream passes some default values, should we follow suit? Also, there's a withNonce method we're not using, not sure if it was left out on purpose.
https://github.com/hashicorp/vault/blob/api/auth/aws/v0.4.0/api/auth/aws/aws.go#L59-L62
There was a problem hiding this comment.
I left nonce out on purpose, I don't think it makes sense to set a static nonce for the lifetime of the component, since the idea of a nonce is that it's used just once.
Co-authored-by: Paschalis Tsilias <[email protected]>
Co-authored-by: Paschalis Tsilias <[email protected]>
Co-authored-by: Paschalis Tsilias <[email protected]>
Co-authored-by: Paschalis Tsilias <[email protected]>
mattdurham
reviewed
May 4, 2023
mattdurham
requested changes
May 4, 2023
mattdurham
reviewed
May 4, 2023
mattdurham
reviewed
May 4, 2023
mattdurham
reviewed
May 4, 2023
clayton-cornell
pushed a commit
that referenced
this pull request
Aug 14, 2023
The remote.vault component retrieves secrets from Vault. Co-authored-by: Paschalis Tsilias <[email protected]>
clayton-cornell
pushed a commit
that referenced
this pull request
Aug 14, 2023
The remote.vault component retrieves secrets from Vault. Co-authored-by: Paschalis Tsilias <[email protected]>
github-actions
bot
added
the
frozen-due-to-age
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
remote.vaultcomponent retrieves secrets from Vault. The initial implementation is scoped to only retrieving secrets from the KVv2 store, but it should be flexible enough to support logical database stores in the future.remote.vaultsupports a few different authentication methods, all from the Vault API module:Authentication tokens are automatically refreshed in the background if they have a lease or are renewable.
Currently, the entire set of data retrieved from Vault is treated as a secret, and there is no way to mark a key from the data as non-sensitive. In the future, this may be handled by some kind of function to convert a secret into a string, or a configuration block in the component to list a subset of data field names as non-sensitive.
When reviewing, note that the prototype for this one started in the extremely early days of Flow (e.g., pre-v0.28). There may be best practices I'm not following, and didn't catch in my self-review. If you notice anything out of place, please let me know.
Sorry about the size of this one 😞