Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] remove sensitive data from MR and resolve references just before use to not leak secrets data in to MR after resolved. #252

Closed
wants to merge 36 commits into from
Closed

[WIP] remove sensitive data from MR and resolve references just before use to not leak secrets data in to MR after resolved. #252

wants to merge 36 commits into from

Conversation

mad01
Copy link

@mad01 mad01 commented May 22, 2024
edited
Loading

One implementation to fix #223 to not render sensitive data in to the MR from a secret rendered

Description of your changes

Fixes #

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

@mad01
Copy link
Author

mad01 commented May 22, 2024
edited
Loading

i have some failing tests left that i have to fix. and some todos to remove

haarchri and others added 29 commits May 23, 2024 11:38
@haarchri
feat(in-cluster): update example to use native crossplane way
f681940 
Signed-off-by: Christopher Haar <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@haarchri
feat(in-cluster): update example to use native crossplane way
2cb7d75 
Signed-off-by: Christopher Haar <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Update version in incluster example
7e79c25 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Bump dependencies
db6d951 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
enable opt-in to redact Secret data from Object status
8592e33 
Signed-off-by: rladdukodiraghav <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
address review comments: use fieldPath library to set redacted data
d29c762 
Signed-off-by: rladdukodiraghav <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
update CI go version to go-1.21
292c7b5 
Signed-off-by: rladdukodiraghav <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@ravilr
Add jitter to poll interval
c596239 
Signed-off-by: ravilr <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@ravilr
make poll jitter percentage configurable through flag option
90c5b60 
Signed-off-by: ravilr <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Use better defaults for poll interval and max reconcile rate
a68bf67 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Do not wait for poll interval if not ready
fddaba8 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@ravilr
fix missing ToConnectionSecretKey in conversion
382c96b 
Signed-off-by: ravilr <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@pedjak
Add ObservedObjectCollection API type (crossplane-contrib#217)
6448624 
* Add `ObservedObjectCollection` API type

Objects in the collection are defined by:
* GVK
* optional namespace
* label selector

The objects are fetched using the specified provider config
and for the matched objects the provider creates counterpart
observe-only objects in the local cluster.

The created objects are owned by the collection resource and
reconciled as usual by the provider. They are labeled with a common label, so that they can be fetched easily.
The label is discoverable by reading  `.status.membershipLabel` field of `ObservedObjectCollection`.

Signed-off-by: Predrag Knezevic <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@scubbo
Update README with correct installation instructions
4cbf040 
See crossplane-contrib#233

Signed-off-by: Jack Jackson <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@scubbo @jbw976
Update README.md
91d8438 
Co-authored-by: Jared Watts <[email protected]>
Signed-off-by: Jack Jackson <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Bump build submodule and dependencies to latest
ba12c53 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Implement watching referenced resources
d1539b6 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Watch managed resources as well
ac7ee5d 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Do not start multiple caches against the same host
8fb68a4 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Do not attempt resolving references if object is being deleted
a3fa10e 
Fixes crossplane-contrib#138

Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Put resource watching behind feature flag
c1c9425 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Fix unit tests and code comments
a604c64 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Start an informer per provider config & gvk pair
5f12a80 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Start watching even if it does not exist (yet)
1e56b1d 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Catch add or delete events as well
1398190 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Stop watching on Object deletion
9714e9e 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Only watch the resource if desired
d1ccd44 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Better naming for index functions
bd6d7ee 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Do not use pointer for optional bool watch
4b863a7 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
turkenh and others added 7 commits May 23, 2024 11:38
@turkenh
Double check if cache is started already
cbeeeff 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Refactor clients package
2f543db 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Rely on garbage collect and override default DefaultWatchErrorHandler
5723426 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Add e2e for watching object
d1842e4 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@turkenh
Always pass update event to reconciler
683fa86 
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
@ezgidemirel
Introduce MR metrics
cdf816f 
Signed-off-by: ezgidemirel <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
change resolve logic to exclude secret when initial resolve runs in
61b5cbc 
observer loop. This to stop secrets payload from ending in the MR
and instead resolve one moretime for the secret just before use in
Create/Update/Delete funcs

Signed-off-by: Alexander Brandstedt <[email protected]>
@mad01 mad01 closed this May 23, 2024
@mad01 mad01 deleted the sensitive-data branch May 23, 2024 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable Secret References to hide sensitive data
7 participants
@mad01 @haarchri @turkenh @ravilr @pedjak @scubbo @ezgidemirel