-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ENHANCEMENT] Enable setting an encryption key to be used to encrypt/decrypt sensitive data #13
base: main
Are you sure you want to change the base?
Changes from 5 commits
6e6cb19
e5c43cb
45de2e2
18aaacb
209a860
29efacc
88edc9b
84ccd5d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,6 +12,12 @@ data: | |
config.yaml: |- | ||
security: | ||
readonly: {{ .Values.config.security.readOnly }} | ||
{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }} | ||
encryption_key_file: {{ printf "%s/key" (.Values.config.security.encryptionKeyFile | trimSuffix "/") }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You're not taking into account your override* fields |
||
{{- end }} | ||
{{- if and (not .Values.config.security.encryptionKeyFile) .Values.config.security.encryptionKey }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I might be wrong, but from my understanding if user provides a encryption key file he must to provide a encryption key. Is that right @Nexucis ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's my understanding as well. But if an encryption key file is provided, and the file is mount on the pod, is there any reason to also add the key in the configuration file, config.yaml? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yeah |
||
encryption_key: {{ .Values.config.security.encryptionKey }} | ||
{{- end }} | ||
enable_auth: {{ .Values.config.security.enableAuth }} | ||
|
||
database: | ||
|
@@ -24,12 +30,12 @@ data: | |
sql: | ||
{{- tpl (toYaml .) $ | nindent 8 }} | ||
{{ end -}} | ||
|
||
{{- with .Values.config.important_dashboards }} | ||
important_dashboards: | ||
{{- toYaml . | nindent 6 }} | ||
{{- end }} | ||
|
||
{{- with .Values.config.schemas }} | ||
schemas: | ||
{{- toYaml . | nindent 6 }} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should provide the ability to users use an existing secret in the cluster.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you have any suggestions for what would it look like? I mentioned this in the PR's description but I'm not sure about the implementation. This gets a bit complex as there are many ways to make the key available to the perses process. If P.S. # -- Mount encryption key with an existing secret
existingEncryptionKeySecret:
secretName: ""
secretKey: "" EDIT: If you see this before I finish with the approach that I'm trying, please ignore "WIP" commit. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I agree with the precedence you shared. Note that you can't set See https://github.com/perses/perses/blob/main/pkg/model/api/config/security.go#L55-L56 |
||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ include "perses.fullname" . }}-encryption-key | ||
labels: | ||
{{- include "perses.labels" . | nindent 4 }} | ||
{{- with .Values.config.annotations }} | ||
annotations: | ||
{{- toYaml . | nindent 4 }} | ||
{{- end }} | ||
type: Opaque | ||
data: | ||
key: {{ .Values.config.security.encryptionKey | b64enc }} | ||
{{- end }} | ||
|
||
--- |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -102,6 +102,14 @@ | |
"type": "boolean", | ||
"default": false | ||
}, | ||
"encryptionKey": { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think makes sense add this values to the values.yaml as empty values, just to let users know it exists and is a possibility, as well as because the documentation is being created from the values file. |
||
"type": "string", | ||
"default": "" | ||
}, | ||
"encryptionKeyFile": { | ||
"type": "string", | ||
"default": "" | ||
}, | ||
"enableAuth": { | ||
"type": "boolean", | ||
"default": false | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -191,4 +191,4 @@ datasources: | |
# plugin: | ||
# kind: PrometheusDatasource | ||
# spec: | ||
# directUrl: https://prometheus.demo.do.prometheus.io | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (nit) can we remove this change, just to keep the PR clean as possible? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, my editor added it I don't mind rolling back. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have also an editor adding newlines in all files. I know that it can be a pain to manage so to me this not that a problem if you don't ^^ |
||
# directUrl: https://prometheus.demo.do.prometheus.io |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not possible as mutually exclusive