Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move secrets to secrets resource #82

Merged
merged 1 commit into from
Sep 3, 2024
Merged

Move secrets to secrets resource #82

merged 1 commit into from
Sep 3, 2024

Conversation

adammohammed
Copy link
Contributor

@adammohammed adammohammed commented Aug 30, 2024
edited
Loading

This PR moves the NATS token and accessToken.source.clientCredentials.clientSecret out from the configMap and into secrets loaded as environment variables in the container.

FileToken.TokenPath gets flagged by secrets scanners despite it not being a sensitive credential, so that got renamed to just File which still makes sense in the config path accessToken.source.file.tokenPath.

AccessToken was also giving chart consumers trouble with security scans, so that was renamed to accessTokenProvider.

Breaking changes from existing chart:

  • Configuration for GetAccessToken now changes from accessToken to accessTokenProvider
  • File token path changes from accessTokenProvider.source.fileToken.tokenPath to accessTokenProvider.source.file.tokenPath (s/fileToken/file/)
  • Downstream charts which depend on this chart must also deploy iam-runtime-infratographer.secrets within the namespace if loading configuration from events.nats.token and accessTokenProvider.source.clientCredentials.clientSecret for the runtime.

@adammohammed
Move secrets to secrets resource
0fb5ce4 
This PR moves the NATS token and
`accessToken.soure.clientCredentials.clientSecret` out from the
configMap and into secrets loaded as environment variables in the
container.

FileToken.TokenPath gets flagged by secrets scanners despite it not
being a sensitive credential, so that got renamed to just `File` which
still makes sense in the config path
`accessToken.source.file.tokenPath`.

AccessToken was also giving chart consumers trouble with security
scans

Signed-off-by: Adam Mohammed <admohammed@equinix.com>
@adammohammed adammohammed requested review from a team as code owners August 30, 2024 18:34
@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 0% with 15 lines in your changes missing coverage. Please review.

Please upload report for BASE (main@fd273cb). Learn more about missing BASE report.

Files with missing lines Patch % Lines
internal/accesstoken/config.go 0.00% 12 Missing ⚠️
internal/accesstoken/tokensource.go 0.00% 2 Missing ⚠️
cmd/serve.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@          Coverage Diff           @@
##             main     #82   +/-   ##
======================================
  Coverage        ?   9.77%           
======================================
  Files           ?      22           
  Lines           ?     696           
  Branches        ?       0           
======================================
  Hits            ?      68           
  Misses          ?     622           
  Partials        ?       6
Flag Coverage Δ
unittests 9.77% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@adammohammed adammohammed merged commit bc97b30 into infratographer:main Sep 3, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacobsee jacobsee jacobsee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adammohammed @codecov-commenter @jacobsee