[ENHANCEMENT] Enable setting an encryption key to be used to encrypt/decrypt sensitive data #13
Conversation
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
c776b96
to
c4a19be
Compare
Gabrielopesantos
changed the title
encryption key is loaded as a env var or file depending if encryption_key_file is set or not Signed-off-by: Gabriel Santos <[email protected]>
Signed-off-by: Gabriel Santos <[email protected]>
Signed-off-by: Gabriel Santos <[email protected]>
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
6427d66
to
45de2e2
Compare
Signed-off-by: Gabriel Santos <[email protected]>
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
1ff4a56
to
18aaacb
Compare
… block Signed-off-by: Gabriel Santos <[email protected]>
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
01aec23
to
209a860
Compare
| @@ -191,4 +191,4 @@ datasources: | |||
| # plugin: | |||
| # kind: PrometheusDatasource | |||
| # spec: | |||
| # directUrl: https://prometheus.demo.do.prometheus.io | |||
There was a problem hiding this comment.
(nit) can we remove this change, just to keep the PR clean as possible?
There was a problem hiding this comment.
Sure, my editor added it I don't mind rolling back.
There was a problem hiding this comment.
I have also an editor adding newlines in all files. I know that it can be a pain to manage so to me this not that a problem if you don't ^^
charts/perses/templates/secrets.yaml
Outdated
| @@ -0,0 +1,17 @@ | |||
| {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }} | |||
There was a problem hiding this comment.
We should provide the ability to users use an existing secret in the cluster.
- Disable the secret creation
- Provide the existing secret name and secret key to be mounted.
There was a problem hiding this comment.
Do you have any suggestions for what would it look like? I mentioned this in the PR's description but I'm not sure about the implementation. This gets a bit complex as there are many ways to make the key available to the perses process.
If encryptionKey is the only value provided then we set it in the config.yaml file.
If encryptionKey and encryptionKeyFile are set, we create the secret and mount it on the pod.
If existingEncryptionKeySecret (or any other name) is given we just set the volume and volume mount in the statefulset with the information provided by the user.
But what about precedence? For me, the following makes sense but let me now what you think. Existing secret > Encryption key mount as file > Encryption key put in the config.yaml file.
P.S.
I was thinking of the following format for the existing secret information to be provided.
# -- Mount encryption key with an existing secret
existingEncryptionKeySecret:
secretName: ""
secretKey: ""EDIT: If you see this before I finish with the approach that I'm trying, please ignore "WIP" commit.
There was a problem hiding this comment.
I agree with the precedence you shared.
Note that you can't set encryptionKey and encryptionKeyFile at the same time in the Perses config otherwise the server will crashed because the config is inaccurate.
See https://github.com/perses/perses/blob/main/pkg/model/api/config/security.go#L55-L56
| {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }} | ||
| encryption_key_file: {{ printf "%s/key" (.Values.config.security.encryptionKeyFile | trimSuffix "/") }} | ||
| {{- end }} | ||
| {{- if and (not .Values.config.security.encryptionKeyFile) .Values.config.security.encryptionKey }} |
There was a problem hiding this comment.
I might be wrong, but from my understanding if user provides a encryption key file he must to provide a encryption key.
Is that right @Nexucis ?
There was a problem hiding this comment.
That's my understanding as well. But if an encryption key file is provided, and the file is mount on the pod, is there any reason to also add the key in the configuration file, config.yaml?
There was a problem hiding this comment.
yeah encryptionKey and encryptionKeyFile are mutually exclusive but they are not mandatory.
If you don't provide it, there is one hardcoded that will be used.
| @@ -102,6 +102,14 @@ | |||
| "type": "boolean", | |||
| "default": false | |||
| }, | |||
| "encryptionKey": { | |||
There was a problem hiding this comment.
I think makes sense add this values to the values.yaml as empty values, just to let users know it exists and is a possibility, as well as because the documentation is being created from the values file.
|
Thanks for handle this @Gabrielopesantos, just left some comments, nice work 💪🏽 |
Thank you for the feedback, I will have a look as soon as I can. 👍 |
Signed-off-by: Gabriel Santos <[email protected]>
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
5d55c4c
to
51ebb75
Compare
Signed-off-by: Gabriel Santos <[email protected]>
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
51ebb75
to
88edc9b
Compare
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
bc655ee
to
110590f
Compare
|
@Gabrielopesantos could you check CI? |
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
110590f
to
0f0d417
Compare
|
@Gabrielopesantos the CI detect an format issue. Probably an issue related to the |
data Signed-off-by: Gabriel Santos <[email protected]>
Gabrielopesantos
force-pushed
the
gabrielopesantos/helm-chart-update
branch
from
0f0d417
to
84ccd5d
Compare
|
My bad and thank you for the patience. I could have easily run I'm not a fan of my implementation but couldn't think of another way to implement this logic of having precedence of values for the secret (even worse with go templates). |
|
awesome thank you @Gabrielopesantos ! @celian-garcia and/or @nicolastakashi if you have time, could you please take a look ? |
There was a problem hiding this comment.
Hello, thanks for this PR. I am trying to review but it sounds complex to me.
If I understand properly:
-
if user give an
encryptionKeyorencryptionKeyFileit uses it in the config. That part is simple. -
Now if the user give an
encryptionKeyFileit means that we need mount the volume.
Two solution : the user has a secret or the user want us to create a secret. -
And if a user doesn't provide a file but provide a secret we want the file to be set.
-
Also I don't see a case where the encryptionKeyFile would exist without a k8s secret but maybe I'm wrong
Did I forget something? :D
If I try to translate it to a yaml self explanatory, I can draft a proposal that in my feeling would be less confusing for the user and easier to develop on your side. WDYT?
security:
encryptionKey: ""
encryptionKeyFile:
activated: false # this is to ease the configuration if a user want to setup the secret but activate it or not easily
secretName: '' # default to perses-full-name encryptionsecret
secretKey: 'key' # (setting the default in the values file directly would prevent from forgetting a "| default" in the code)Note:
For the mutually exclusive fields, you could do a check with helm on top of the templates using them. It would save you from some checks.{{- if and .Values.security.encryptionKey .Values.security.encryptionKeyFile.activated }} {{- fail ( printf "encryptionKey and encryptionKeyFile are mutually exclusive" ) }} {{- end }}
| @@ -191,4 +191,4 @@ datasources: | |||
| # plugin: | |||
| # kind: PrometheusDatasource | |||
| # spec: | |||
| # directUrl: https://prometheus.demo.do.prometheus.io | |||
There was a problem hiding this comment.
I have also an editor adding newlines in all files. I know that it can be a pain to manage so to me this not that a problem if you don't ^^
| @@ -12,6 +12,12 @@ data: | |||
| config.yaml: |- | |||
| security: | |||
| readonly: {{ .Values.config.security.readOnly }} | |||
| {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }} | |||
There was a problem hiding this comment.
not possible as mutually exclusive
| @@ -12,6 +12,12 @@ data: | |||
| config.yaml: |- | |||
| security: | |||
| readonly: {{ .Values.config.security.readOnly }} | |||
| {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }} | |||
| encryption_key_file: {{ printf "%s/key" (.Values.config.security.encryptionKeyFile | trimSuffix "/") }} | |||
There was a problem hiding this comment.
You're not taking into account your override* fields
Hey @celian-garcia , To ensure we are on the same page, the following are the ways I believe were discussed to make the encryption key available to perses.
The following is how each method of setting the encryption key would be configured with your suggested YAML config. security:
encryptionKey: "asdasdas"
encryptionKeyFile:
activated: false
secretName: ''
secretKey: 'key'security:
encryptionKey: "asdasdas"
encryptionKeyFile:
activated: true
secretName: ''
secretKey: 'key' encryptionKey: ""
encryptionKeyFile:
activated: true
secretName: 'secret-asd'
secretKey: 'key'It works nicely for 1 and 3 and they don't have "mutually" exclusive fields used, however, for 2 Also, there's no way to set the path where the encryption key file would be mounted but that's not an issue as a default like |
I'm reading myself again and I don't even know what I meant 😄 It's been a while. I would even do now encryptionKey:
secret: '' // Default value is {{perses full name}}
useExistingSecret: false // by default it creates a secret
key: 'key' // Default value that you've no reason to update if you don't have your own secret
value: 'dfkskdfjhskdfjh' // this is the default value that you can use but not advised.Then if you want to reuse a secret encryptionKey:
secret: 'myAlreadyExistingSecret'
useExistingSecret: true
key: 'myEncryptionKey' If you want to create a secret with default props encryptionKey:
value: 'mysecretvalue'If you want to create a secret with custom props encryptionKey:
secret: 'myNotExistingCustomSecretName' // will be created
key: 'mySecretKey' // will be created
value: 'mysecretvalue' |
|
Hey @Gabrielopesantos friendly ping, are you willing to work on it yet? |
Description
Still ironing some things on this solution proposal, will add a description and mark the ticket as ready to be reviewed once I'm done.If you see the PR in the meanwhile and think there's a better way to achieve this, feel free to comment.
Adds support for
encryption_keyandencryption_key_filevalues to be set, both "" by default. Ifencryption_keyis set, the key is made available as an environment variable. If both values are set, the key is set on a secret, mount as a volume and made available to the perses process as a file. In casesencryption_keyisn't set, the value ofencryption_key_file, if set, is ignored.At the time of development I thought of this approach or one where we would expect secrets with a given name to be present so they could be mount or loaded as env vars. I'm still not sure what would be better but feel free to leave feedback.
The PR doesn't add support auth providers as discussed but I intend to open another PR for it.
Checklist
[<catalog_entry>] <commit message>naming convention using one of the followingcatalog_entryvalues:FEATURE,ENHANCEMENT,BUGFIX,BREAKINGCHANGE,IGNORE.