Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduced new soa key for rotating database passwords #3655

Merged
merged 20 commits into from
Aug 17, 2023
Merged

Introduced new soa key for rotating database passwords #3655

merged 20 commits into from
Aug 17, 2023

Conversation

RobbySingh
Copy link
Contributor

@RobbySingh RobbySingh commented Jul 19, 2023
edited
Loading

https://fluffy.yelpcorp.com/i/67hDPrWrG31CtcZRZf0RB17HqJg8XqXZ.html

Pasting in fluffy for security reasons

(updated Aug 9, 2023 @ 1:46pm)

@RobbySingh
Introduced new soa key for rotating database passwords
6666b41 
- database_credentials is a top level key. The next key will be a datastore. This could be MySQL or Cassandra or anything else.
  Each data store (dstore) contains a name, eg {mysql: ['cred1', 'cred2']}.
  These credentials point to a vault path under /dstore/mysql/{cred1,cred2}
  These passwords are then mapped to the paasta service as a volume, where each file corresponds to a Vault entry
@RobbySingh RobbySingh requested a review from flopex July 19, 2023 16:57
@RobbySingh RobbySingh changed the title Introduced new soa key for rotating database passwords Introduced new soa key for rotating database passwords [WIP] Jul 19, 2023
@RobbySingh RobbySingh changed the title Introduced new soa key for rotating database passwords [WIP] Introduced new soa key for rotating database passwords Jul 19, 2023
nemacysts
nemacysts reviewed Jul 21, 2023
View reviewed changes
k8s_itests/deployments/kind/cluster-devbox.yaml Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Outdated Show resolved Hide resolved
paasta_tools/secret_providers/vault.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/secret_providers/vault.py Outdated Show resolved Hide resolved
paasta_tools/secret_providers/vault.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Outdated Show resolved Hide resolved
@RobbySingh
Simplified environment variable setting for database vault creds
b2196d1 
- Used a context manager for temporarily setting vault credentials
- Several python magic upgrades
- Added sample return types for data
- Changed default parameters to required for dstore/creds
- Few refactors
@RobbySingh
Copy link
Contributor Author

I ran a fresh make setup-kubernetes-job with the vault credentials set in etc_paasta_playground.vault.json under database_credentials_vault_env_overrides (just vault_addr_override and vault_token_override) and confirmed that the env worked as expected

nemacysts
nemacysts reviewed Aug 1, 2023
View reviewed changes
Copy link
Member

@nemacysts nemacysts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i still have to formulate some thoughts/suggestions re: tests - but for now i've left some other comments so that you're not blocked waiting for me to review

paasta_tools/kubernetes/bin/paasta_secrets_sync.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/secret_providers/vault.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
nemacysts
nemacysts reviewed Aug 2, 2023
View reviewed changes
tests/kubernetes/bin/test_paasta_secrets_sync.py Outdated Show resolved Hide resolved
tests/test_kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Outdated Show resolved Hide resolved
@RobbySingh
Refactoring, added test cases, fixed type annotations
de200c1 
- Changed database and dstore -> datastore for clarity
@RobbySingh
Updated type annotations and name of set_env
cd0a4da 
- set_env always resets the environ later, so it should instead be renamed to reflect this
nemacysts
nemacysts reviewed Aug 3, 2023
View reviewed changes
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/secret_providers/vault.py Show resolved Hide resolved
paasta_tools/utils.py Outdated Show resolved Hide resolved
@RobbySingh
Added datastore credentials schema item
ec92538 
- Although we didn't specify cassandra here (since we don't know yet), we add additional_properties = True to suffice
nemacysts
nemacysts reviewed Aug 4, 2023
View reviewed changes
paasta_tools/cli/schemas/kubernetes_schema.json Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/secret_providers/vault.py Outdated Show resolved Hide resolved
@RobbySingh RobbySingh requested a review from tub August 9, 2023 16:28
nemacysts
nemacysts reviewed Aug 9, 2023
View reviewed changes
paasta_tools/cli/schemas/kubernetes_schema.json Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes_tools.py Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Outdated Show resolved Hide resolved
paasta_tools/kubernetes/bin/paasta_secrets_sync.py Show resolved Hide resolved
@RobbySingh
Fixed mypy typing issues
0e173a0 
- Corrected 'help' for --secret-type call
@RobbySingh RobbySingh requested a review from mattmb August 10, 2023 20:26
@nemacysts nemacysts merged commit 8c62b00 into master Aug 17, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jfongatyelp jfongatyelp jfongatyelp left review comments

@ilkinmammadzada ilkinmammadzada ilkinmammadzada approved these changes

@nemacysts nemacysts nemacysts approved these changes

@flopex flopex Awaiting requested review from flopex

@EvanKrall EvanKrall Awaiting requested review from EvanKrall

@tub tub Awaiting requested review from tub

@mattmb mattmb Awaiting requested review from mattmb

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@RobbySingh @nemacysts @jfongatyelp @mattmb @ilkinmammadzada