-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow externalizing/encrypting config secret values #7608
Conversation
[test][extended:ldap_groups] |
@deads2k for config/serialization @sgallagher for encrypt/decrypt commands and output (encrypted using https://golang.org/pkg/crypto/x509/#EncryptPEMBlock) @detiber / @sdodson for interactions with ansible... not sure how the bindPassword (for LDAP) and clientSecret (OAuth/OpenID) fields are handled by ansible if they could be either a string or a struct. |
} | ||
} | ||
|
||
func GetExternalizableStringValue(s ExternalizableString) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bad name. I like GetClearText
better. An ExternalizableString
isn't very helpful to me reading it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm open to better names for the type as well. StringSource
? ResolveStringSource()
? I could see using these for env-specific things in combination with an etcd-stored config as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm open to better names for the type as well. StringSource? ResolveStringSource()? I could see using these for env-specific things in combination with an etcd-stored config as well
Those are better.
I'd feel a lot better about this with an extended test using an actual |
Just curious, is there a card or something that outlines the intention here? |
Need docs for the types, but otherwise I'm happy with them. I'd still a test or issue for a test that actually makes use of this from a yaml file. @sgallagher I didn't look at the command in any detail. |
@deads2k not quite from yaml on disk, but this is close: https://github.com/openshift/origin/pull/7608/files#diff-7e8d11670ba88f9227b91aeea7c786ba did I miss an easy way to make the integration stuff persist/read the master config from disk? |
nevermind, got it round-tripping in the integration test at https://github.com/openshift/origin/pull/7608/files#diff-7e8d11670ba88f9227b91aeea7c786baR135 |
tests and doc added, any last comments from @deads2k or @sgallagher? |
will open a docs PR separately |
open questions:
|
Three or is one of those just a test? Oh, you need the trailing whitespace/newline to support entering usernames, don't you? :) I don't see any of those problems as blockers for this pull. |
@sgallagher you going to go through the command? The types looked fine to me. |
continuous-integration/openshift-jenkins/test Running (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/1733/) (Extended Tests: ldap_groups) |
LGTM |
[merge] |
flake #7706 |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5148/) (Image: devenv-rhel7_3575) |
Evaluated for origin test up to 70fd4c7 |
Evaluated for origin merge up to 70fd4c7 |
This PR allows externalizing/encrypting secret fields in the config. Previously, something like LDAP config had to do this:
With this PR, it can do that, or do any of these:
This PR adds support for these formats to the
bindPassword
andclientSecret
fields in the master and LDAP group sync config files.Docs in openshift/openshift-docs#1669