Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature - add HashiCorp Vault secret provider #165

Merged
merged 59 commits into from
Aug 31, 2020
Merged

Feature - add HashiCorp Vault secret provider #165

merged 59 commits into from
Aug 31, 2020

Conversation

stijnmoreels
Copy link
Member

@stijnmoreels stijnmoreels commented Aug 20, 2020
edited
Loading

Added a new project (NuGet package) with a secret provider that will interact wtih the KeyValue secret of a HashiCorp Vault.
This feature contains:

  • The ISecretProvider implementation itself
  • User-friendly extensions to register in the secret store for:
    • UserPass authentication
    • Kubernetes authentication
    • Custom configuration
  • Unit tests for all components
  • Integration test that interact with a fresh HashiCorp Vault instance running in 'dev server' mode for:
    • UserPass authentication
  • Feature docs update with examples of how this secret provider can be added to the secret store, with examples of what is required and by default provided and can be overridden.

Relates to #159

@arcus-automation
Copy link

A new preview package for Arcus.Security.All is available on MyGet.

You can pull it locally via the CLI:

PM> Install-Package Arcus.Security.All -Version 20200821.0.0-PR-165 -Source https://www.myget.org/F/arcus/api/v3/index.json

@stijnmoreels
pr-fix: project var
88567ec
@stijnmoreels
pr-sug: provide more logging during downloading HashiCorp Vault
ef14c11
@stijnmoreels
pr-fix: update with blank guards for mountpoint and secretpath
b0a888c
@stijnmoreels
pr-fix: provide some tracing during downloading and unzipping
8de8563
@stijnmoreels
pr-sug: use more secure vault exe retrieval
db0064c
@stijnmoreels
pr-fix: correct config key retrieval
b7aa82d
@stijnmoreels
pr-sug: update with working dir
f3fbfd7
@stijnmoreels
pr-sug: give execution permissions to .exe file
b370365
@stijnmoreels
pr-sug: redirect errors to console output
29e5881
@stijnmoreels
pr-sug: use linux vault download
eb7867f
@stijnmoreels
Merge branch 'master' into feature/hashicorp-secret-provider
1184e70
@stijnmoreels
pr-fix: change for linux version
1a8a472
@stijnmoreels
Merge branch 'feature/hashicorp-secret-provider' of https://github.co…
3cb987c 
…m/stijnmoreels/arcus.security into feature/hashicorp-secret-provider
@stijnmoreels
pr-sug: remove error output
5c9cdd2
@stijnmoreels
pr-sug: update w/ more logging and async redirection
e34a430
@stijnmoreels
pr-sug: move download func to template
af3e569
@stijnmoreels
pr-sug: add download template to Nuget release pipeline
007c4f3
@stijnmoreels stijnmoreels marked this pull request as ready for review August 21, 2020 08:26
@arcus-automation
Copy link

A new preview package for Arcus.Security.All is available on MyGet.

You can pull it locally via the CLI:

PM> Install-Package Arcus.Security.All -Version 20200825.0.0-PR-165 -Source https://www.myget.org/F/arcus/api/v3/index.json

@arcus-automation
Copy link

A new preview package for Arcus.Security.All is available on MyGet.

You can pull it locally via the CLI:

PM> Install-Package Arcus.Security.All -Version 20200826.0.0-PR-165 -Source https://www.myget.org/F/arcus/api/v3/index.json

@tomkerkhove
Copy link
Contributor

Not yet created integration test for Kuberetes authentication bc that would require me to create a Kubernetes service account (extra costs per month) and maybe not the worth the cost for that?
Of course if there's a way that this can be up shortcutted, and there's a way to test this external call by setting up a test server that validates the JWT token for us... we could maybe go that route.

Let's add a dedicated issue where we deploy a container to a Kind cluster and run against that.

tomkerkhove
tomkerkhove approved these changes Aug 28, 2020
View reviewed changes
Copy link
Contributor

@tomkerkhove tomkerkhove left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the only suggestion I would have is to move out the Kubernetes auth unless you are certain that it already works fine?

build/templates/download-hashicorp-vault.yml Show resolved Hide resolved
build/templates/download-hashicorp-vault.yml Outdated Show resolved Hide resolved
src/Arcus.Security.Providers.HashiCorp/VaultKeyValueSecretEngineVersion.cs Outdated Show resolved Hide resolved
@stijnmoreels
Copy link
Member Author

stijnmoreels commented Aug 28, 2020
edited
Loading

LGTM, the only suggestion I would have is to move out the Kubernetes auth unless you are certain that it already works fine?

I can honestly say I don't know anything for certain 😅.
We're just using the already available Kubernetes authentication type and pass along the values, so only if VaultSharp has some problems, I don't think that there's something wrong with it. But again, I'm nothing certain.

@tomkerkhove
Copy link
Contributor

Good enough!

@stijnmoreels stijnmoreels mentioned this pull request Aug 31, 2020
Open
@arcus-automation
Copy link

A new preview package for Arcus.Security.All is available on MyGet.

You can pull it locally via the CLI:

PM> Install-Package Arcus.Security.All -Version 20200831.0.0-PR-165 -Source https://www.myget.org/F/arcus/api/v3/index.json

@stijnmoreels stijnmoreels merged commit 7131882 into arcus-azure:master Aug 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomkerkhove tomkerkhove tomkerkhove approved these changes

Assignees

@tomkerkhove tomkerkhove

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stijnmoreels @arcus-automation @tomkerkhove