Conversation
Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
|
need a rebase |
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
|
@cpanato Thanks for the above, just rebased and reverted the copyright date back to 2024. |
cpanato
left a comment
cpanato
left a comment
There was a problem hiding this comment.
lgtm
seems ok
thank you
would like to have another pair of 👀
|
Amazing, thank you @cpanato much appreciated! 🚀 |
wlynch
left a comment
wlynch
left a comment
There was a problem hiding this comment.
Some minor comments, but overall looks good!
pkg/secrets/gcp/gcp_test.go
Outdated
| // Set up the fake server. | ||
| impl := &fakeSecretManager{} | ||
| l, err := net.Listen("tcp", "localhost:0") | ||
| assert.NoError(t, err) | ||
|
|
||
| gsrv := grpc.NewServer() | ||
| secretmanagerpb.RegisterSecretManagerServiceServer(gsrv, impl) | ||
| fakeServerAddr := l.Addr().String() | ||
| go func() { | ||
| if err := gsrv.Serve(l); err != nil { | ||
| panic(err) | ||
| } | ||
| }() | ||
| defer gsrv.Stop() | ||
|
|
||
| // Create a client. | ||
| client, err := secretmanager.NewClient(ctx, | ||
| option.WithEndpoint(fakeServerAddr), | ||
| option.WithoutAuthentication(), | ||
| option.WithGRPCDialOption(grpc.WithTransportCredentials(insecure.NewCredentials())), | ||
| ) | ||
| assert.NoError(t, err) |
There was a problem hiding this comment.
Pull this into a func (use t.Cleanup instead of defer for closing the client)
pkg/secrets/secrets.go
Outdated
| awsSecretManager *awsSM.Client | ||
| } | ||
|
|
||
| func (s *secretProvider) GetSecret(keyID string) ([]byte, error) { |
There was a problem hiding this comment.
Can we plumb the context through here instead of embedding it in the struct?
We only do this for the signers in order to comply with the jwt.SigningMethod interface, but otherwise the preference would be to plumb the context through so it can be configured per-call.
pkg/kms/gcp/gcp.go
Outdated
| // NewSigner returns a new signer for the provider. | ||
| func (p *Provider) NewSigner() (ghinstallation.Signer, error) { | ||
| return p, nil | ||
| } |
There was a problem hiding this comment.
You can delete this - this isn't really adding anything except proving *Provider implements Signer (which we could also do with var _ ghinstallation.Signer = &Provider{}
| key string | ||
| } | ||
|
|
||
| func New(_ context.Context, client *kms.KeyManagementClient, key string) (ghinstallation.Signer, error) { |
There was a problem hiding this comment.
I'm not sure if anyone is using this externally - keep the function signature in place as a wrapper around NewProvider (you probably need to add a NewProviderWithClient) and mark this as deprecated.
|
Much appreciated @wlynch ❤️ I'll get right on addressing the PR comments. Wondering if you had a chance to merge a fix for #892 (comment). As far as I know it still happened the last time I checked. I'll be trying it all again anyways with an updated version of OctoSTS incase there were fixes that were merged more recently that resolved it. |
|
@wlynch I can confirm that I have got this working in AWS now! Not sure if the infinite-loop issue that was detailed in the original PR has been fixed on I'll get right on the addressing of PR comments above, in addition, I'm not sure if you'd like me to submit an "example" AWS Terraform setup using AWS ECS, Secrets Manager and KMS. I'm happy to do so, but it will obviously likely get outdated as time goes by and the Terraform modules/AWS APIs evolve. |
Co-authored-by: Billy Lynch <1844673+wlynch@users.noreply.github.com> Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Co-authored-by: Billy Lynch <1844673+wlynch@users.noreply.github.com> Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
|
I haven't attempted again since #988 - I'll probably have some time over the break to look at this again though! Glad to hear it's working for you now though :) |
…erServiceServer Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
|
@wlynch No problems, I've just pushed up several commits that address your review comments, let me know what you think! - Happy Christmas 🎅 |
|
Hi @ChrisJBurns |
|
@jgrumboe I can certainly submit an extra PR after this one if the folks at Chainguard are happy. However I feel it may get outdated as the Terraform and AWS APIs evolve, but maybe as an initial reference its ok. |
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
|
Hey @wlynch, hope you had a great Christmas and New Year, any chance of a lil review of my new changes? |
lf-
left a comment
lf-
left a comment
There was a problem hiding this comment.
A bit of absolutely non-blocking feedback: you can integration test the crypto of the AWS KMS using https://github.com/nsmithuk/local-kms if you'd like :)
I don't, however, think the code is especially possible to screw up, so integration tests aren't necessarily very critical. The reason I know a bit about this is because I just wrote another KMS integration, from which one might be able to borrow some ideas for such an integration test: indygreg/apple-platform-rs#274
5 participants
Recreates #892
For some reason the underlying repo that had the original PR code was deleted. This PR restores that contribution because like others I would still very much be interested in hosting a version of the OctoSTS app on AWS using AWS KMS and Secrets Manager.
implements #438