Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(credentials): added a provider-plugable credentials handling mec… #33

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(credentials): added a provider-plugable credentials handling mec… #33

wants to merge 4 commits into from
+1,256 −50

Conversation

pcanilho
Copy link
Contributor

@pcanilho pcanilho commented Jul 26, 2024
edited
Loading

Proposal: Pluggable credentials support

The credentials package is designed to provide a pluggable interface for managing credentials across different services.
The package is designed to be used in conjunction with provider instances. When required, it supports daisy-chaining of
multiple credential providers to provide a more complex credential resolution mechanism.

Goals

  • Backwards compatible.
  • Pluggable interface for managing credentials across different services.
  • Credentials providers chaining.
  • Tests TODO(@pcanilho)

A simple example

Without credentials
http:
  - name: anonymous-access
    url: https://my.health.checker.com/health
With credentials
username/password
http:
  - name: authenticated-access
    url: https://my.health.checker.com/health
    credentials:
      - k8s_secret:
          namespace: my-namespace
          name: my-secret
          keys:
            - key: username
              target: USERNAME
            - key: password
              target: PASSWORD
token
http:
  - name: authenticated-access
    url: https://my.health.checker.com/health
    credentials:
      - k8s_secret:
          namespace: my-namespace
          name: my-secret
          key: token
          target: TOKEN

A more complex example using daisy-chained credentials

http:
  - name: anonymous-access
    url: https://my.health.checker.com/health
    credentials:
      - k8s_secret:
          namespace: default
          name: my-secret
          keys:
            - key: vault-token
              target: VAULT_TOKEN
              expose: true
            - key: vault-addr
              target: VAULT_ADDR
              expose: true
      - vault:
          engine: kv2
          mount: secret
          keys:
            - path: /aws/creds
              key: access-key
              target: AWS_ACCESS_KEY_ID
              expose: true
            - path: /aws/creds
              key: secret-key
              target: AWS_SECRET_ACCESS_KEY
              expose: true
      - k8s_cm:
          namespace: default
          name: my-configmap
          key: region
          target: AWS_REGION
          expose: true
      - aws_ssm:
          decryption: true
          path: /secret
          key: ssm-secret
          target: MY_APP_TOKEN

Credentials

Schema

Type Description Fields Docs
k8s_secret Kubernetes Secret namespace, name, key link
k8s_cm Kubernetes ConfigMap namespace, name, key link
vault Hashicorp Vault engine, mount, keys link
aws_ssm AWS Systems Manager decryption, keys link
aws_sm AWS Secrets Manager path, key link

Common keywords

Note

All fetched credentials are automatically shared with other services via an internal secret bus.
However, it is sometimes desirable to be able to consume and expose environment variables to downstream services.
This is by default not active but can be enabled by using expose field.

Keyword Description
path The path to the secret.
key If provided, the secret will be parsed and the value matching the key will be extracted.
target The variable name to set the value to in the secret bus and environment variable when applicable.
expose Whether to expose the value as an environment variable. (Defaults to false)
keys A list of path, key, target, expose (and other additional fields when applicable) items allowing multiple secrets to be fetched/e at once. 
...
credentials: # [list of credential providers]
  - <type>: # identifier (e.g. vault, aws_ssm, aws_sm)
      <foo>: <bar> # dynamic fields appropriate for the credential provider
      <baz>: <qux>
  ...
  - <type>:
      <foo>: <bar>
      <baz>: <qux>

Note

Credential types can be daisy-chained together to provide a more complex credential resolution mechanism.
For example:

...
credentials:
  - k8s_secret:
      namespace: default
      name: my-secret
      keys:
        - key: vault-token
          target: VAULT_TOKEN
          expose: true
        - key: vault-addr
          target: VAULT_ADDR
          expose: true
  - vault:
      engine: kv2
      mount: secret
      keys:
        - path: /aws/creds
          key: access-key
          target: AWS_ACCESS_KEY_ID
          expose: true
        - path: /aws/creds
          key: secret-key
          target: AWS_SECRET_ACCESS_KEY
          expose: true
  - k8s_cm:
      namespace: default
      name: my-configmap
      key: region
      target: AWS_REGION
      expose: true
  - aws_ssm:
      decryption: true
      path: /secret
      key: ssm-secret
      target: MY_APP_SECRET

Supported credentials

Kubernetes Secret

expand me! ✨ 
...
credentials:
  - k8s_secret:
      namespace: default
      name: my-secret
      key: secret
      target: MY_SECRET
      expose: true

Kubernetes ConfigMap

expand me! ✨ 
...
credentials:
  - k8s_cm:
      namespace: default
      name: my-secret
      key: secret
      target: MY_SECRET
      expose: true

Hashicorp Vault

expand me! ✨ 
...
credentials:
  - vault:
      # address: <value> # Defaults to VAULT_ADDR - @TODO(paulo) WIP
      # token_var: <var> # Defaults to VAULT_TOKEN - @TODO(paulo) WIP
      engine: kv2
      mount: secret
      keys:
        - path: /path
          key: user
          target: MY_USER
          expose: true
        - path: /path
          key: secret
    target: MY_SECRET

AWS Systems Manager

expand me! ✨ 
...
credentials:
  - aws_ssm:
      decryption: true
      keys:
        - path: /path
          key: user
          target: MY_USER
        - path: /path
          key: secret
          target: MY_SECRET

AWS Secrets Manager

expand me! ✨ 
...
credentials:
  - aws_sm:
      path: /path
      key: secret
      target: MY_SECRET

@pcanilho pcanilho marked this pull request as draft July 26, 2024 18:38
@pcanilho pcanilho marked this pull request as ready for review December 19, 2024 08:31
isometry
isometry reviewed Dec 21, 2024
View reviewed changes
pkg/config/config.go
Comment on lines 9 to +13
"github.com/fsnotify/fsnotify"
"github.com/mitchellh/mapstructure"
"github.com/spf13/viper"

"github.com/isometry/platform-health/pkg/provider"
"github.com/isometry/platform-health/pkg/utils"
"github.com/mitchellh/mapstructure"
"github.com/spf13/viper"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My style is three import blocks: stdlib => third-party => local

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isometry isometry isometry left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pcanilho @isometry