-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vault_pki
modules
#57
Conversation
bad026c
to
4ec10b6
Compare
This looks nice so far. Some things I noticed while skimming (just trying to help + persist it for a future review, you're probably aware of many of them since this is a draft): General:
More specific:
Thanks a lot for working on this! Sorry for the mess, I didn't want to focus too much on specific lines in the current state. |
Thanks for the comment! Really appreciated. To the points:
Once again, thank you for spending time and efforts looking at this! |
It's a float because in theory, Vault handles values such as It might be sufficient to just add a
Likewise! |
2776523
to
6769c7f
Compare
salt-extensions/central-artifacts#4 should help with (some of) the failures by a) dropping 3005 from the tests and |
Thanks for that! Meanwhile I'm adding more tests and fixing few minor issues here and there. |
So... Tests are added and passing (locally). Opening the PR ready for review. |
Will add more functionality once this is approved and merged (just to be sure logic and code style are acceptable). |
Probably I should also update dependencies = [
"salt>=3005",
] to dependencies = [
"salt>=3006",
"cryptography>=41.0.3"
] but we can do it a little bit later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty good. Thanks a lot for taking the time to write the tests!
I'll play with the modules a bit until you had a chance to consider the suggestions and we get the central-artifacts
PR merged.
At some point in the future, I might try to improve the docs a bit further (you can review the PR then), but they are mostly fine for now.
Note: We should point out that minions need to be able to read their role configuration for certificate_managed
. It could be a possible future addition to not hard-require this and rely on expiration only in case it's not accessible.
Yup, I'll do that in a follow-up PR since that touches the copier template variables. What's the reason for |
Not big one. Is the one installed with Salt 3006.3 (any versions before that have major issues with x509 module). But >=42 is more than fine! |
@lkubb, first I want to thank you for the quick and detailed review! I think I fixed/changed everything mentioned. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking care of the suggestions so quickly! Just some additional nits and the few outstanding ones from the last review.
Edit: Also we'll need a changelog file, maybe something like:
echo "Added vault_pki modules for interfacing with the PKI backend and managing X.509 certificates" > changelog/58.added.md
All should be fixed. Added the changelog. Also, decide to rename |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your patience in bearing with me and sorry for the iterative approach [big PR :)]. We're nearly there!
Those two were missed by GitHub in the last review for some reason, but at least the potential crash should be addressed:
Yeah. I was expecting issues as it's really big one and I still didn't have the enough experience with Salt's codebase. I also want to thank you for the patience and all the checks! I think I fixed those two and the rest mentioned. |
We're all learning on some level, the Salt code base is a behemoth. 😅 Perfect, I think that addresses everything I noticed code-wise so far. Will wait with approval/merge until CI is passing. If anything comes up in the meantime, I might leave another review. Thanks a lot for your significant contribution, much appreciated! And feel free to expand on the modules whenever you like. TODO for myself:
|
Thanks once again! Will do, probably in another PR to avoid messing with this one :). |
@voyvodov Sorry for the massive delay, I really tried to push though... Happy to report the necessary change is finally in. Are you still interested in finishing up this PR? If so, I'd suggest to:
|
9bf8495
to
e020e16
Compare
Co-authored-by: jeanluc <[email protected]>
Vault always expects `application/merge-patch+json` content type when using patch (https://developer.hashicorp.com/vault/docs/commands/patch)
Sure. Changes are done, fixup commits are squashed and branch is re-based. Also did some final small fixes (for python3.8 which requires typing classes). Should be okey for merging. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for persevering and creating this valuable contribution! :)
I'm going to merge this now and create a new release. Once again, feel free to keep improving this extension, very much appreciated!
What does this PR do?
Add execution and state modules for managing and using Vault's PKI secret store.
Currently the following states are added:
certificate_managed
- Used to manage and renew certificates issued by Vault. Pretty much replicate thex509.certificate_managed
module.role_managed
- Used to manage PKI roles in Vault and keep them according to the state.role_absent
- Used to ensure PKI role is absent from Vault.In terms of execution module, there are several modules providing possibility to manage issuers, roles, certificates, keys.
Some updates in utils which will provide helpers for PKI modules functionality.
What issues does this PR fix or reference?
Fixes: #56
Previous Behavior
Remove this section if not relevant
New Behavior
Remove this section if not relevant
Merge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
Commits signed with GPG?
Yes/No
Please review Salt's Contributing Guide for best practices.
See GitHub's page on GPG signing for more information about signing commits with GPG.