Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET-1721: Automatic ACL bootstrap with Vault secrets backend #1920

Merged
merged 6 commits into from
Mar 6, 2023
Merged

NET-1721: Automatic ACL bootstrap with Vault secrets backend #1920

merged 6 commits into from
Mar 6, 2023

Commits on Mar 6, 2023

  1. NET-1721: Automatic ACL bootstrap with Vault secrets backend 

    With the Vault secrets backend, server-acl-init now:
* Runs the Vault agent as a sidecar
* Bootstraps ACLs if the Vault bootstrap token is empty or not found,
  and writes the bootstrap token back to Vault via the Vault agent

This adds the Vault SDK to the control-plane binary.
This added 1 MB to the binary size (74MB to 75MB)
    Paul Glass committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    4d1ab0e View commit details
    Browse the repository at this point in the history

  2. Apply suggestions from code review 

    Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
    @cthain
    Paul Glass and cthain committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    a59a16a View commit details
    Browse the repository at this point in the history

  3. Improve Vault secrets backend 

    * The Kubernetes backend will write the bootstrap token to the
  user-provided secret if that secret is empty. The Vault behavior is
  the same.
* The Vault backend writes to a default secret name if the secretName
  and secretKey are not set in the helm chart values.
* Pass the Vault namespace to server-acl-init

server-acl-init reads the secret directly from k8s or Vault.
* Remove -bootstrap-token-file flag from server-acl-init and remove the
* Remove the volume/mount for that. And update all the tests for that. Remove
the bootstrap token secret injection / template the Vault agent.
    Paul Glass committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    9e701b8 View commit details
    Browse the repository at this point in the history

  4. Update changelog

    Paul Glass committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    583d545 View commit details
    Browse the repository at this point in the history

  5. Fix changelog

    Paul Glass committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    2ae60da View commit details
    Browse the repository at this point in the history

  6. Fix changelog again

    Paul Glass committed Mar 6, 2023
    Configuration menu
    Copy the full SHA
    8ebd3e7 View commit details
    Browse the repository at this point in the history