Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a CLI for rotating webhook secrets #2735

Merged
merged 3 commits into from
Mar 22, 2024
Merged

Add a CLI for rotating webhook secrets #2735

merged 3 commits into from
Mar 22, 2024

Conversation

jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Mar 20, 2024

Summary

Adds a minder-server subcommand that allows you to change minder webhook secrets
in github as a way of rotating the secret

Fixes: #2722

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

minder-server webhook update -p github

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@jhrozek jhrozek requested a review from a team as a code owner March 20, 2024 21:32
@JAORMX
Copy link
Contributor

JAORMX commented Mar 21, 2024

Will we need another k8s job to run this?

JAORMX
JAORMX requested changes Mar 21, 2024
View reviewed changes
cmd/server/app/webhook_update.go Outdated
}(dbConn)

store := db.NewStore(dbConn)
allProviders, err := store.GlobalListProvidersByName(ctx, providerName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we instead iterate all providers, check that they implement github, and then attempt the migration? We're moving away from predetermined names and more into traits and classes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can do that, sure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

eleftherias
eleftherias reviewed Mar 21, 2024
View reviewed changes
Copy link
Contributor

@eleftherias eleftherias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment on the documentation, but otherwise I tested it and it works great.

docs/docs/run_minder_server/run_the_server.md Outdated
minder-server webhook update -p github
```

Note that the command simply replaces the webhook secret in the configuration
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it the opposite? It seems like this command updates the secret in GitHub, but you will need to restart your Minder server to pick up the secret in the configuration.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gah, of course when I wrote configuration I meant github..

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed!

@jhrozek
Copy link
Contributor Author

jhrozek commented Mar 21, 2024

Will we need another k8s job to run this?

yes, that's how I was thinking the rotation would work:

  • generate a new secret
  • set the new secret as the current one and the older one as a fallback
  • run this command as a job
  • monitor staging logs for the log message that says that a fallback secret was used to verify a webhook signature
  • if we see none, remove the fallback secret finally

@jhrozek jhrozek force-pushed the webhook_secret_migrate branch from 342f127 to 6b77069 Compare March 21, 2024 20:29
@coveralls
Copy link

Coverage Status

coverage: 47.018% (-0.01%) from 47.031%
when pulling 6b77069 on jhrozek:webhook_secret_migrate
into 2944b30 on stacklok:main.

@jhrozek jhrozek merged commit b68ca59 into mindersec:main Mar 22, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eleftherias eleftherias eleftherias left review comments

@JAORMX JAORMX JAORMX approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rotate webhook secrets
4 participants
@jhrozek @JAORMX @coveralls @eleftherias