Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feat: support _json_key when mutating docker credentials #91

Merged
merged 1 commit into from
Jun 25, 2024
Merged

feat: support _json_key when mutating docker credentials #91

merged 1 commit into from
Jun 25, 2024

Conversation

csatib02
Copy link
Member

Overview

  • Made the Auth field of type interface{}, because this way when a _json_key is received under the auth key of a .dockerconfigjson it can be handled.
  • I left the username, password splitting case as it was, and added a check for _json_key and another check, if a vault path is received upfront at the auth key.

Fixes: bank-vaults/vault-secrets-webhook#81

Notes for reviewers

  • I tested the new functionality with these 3 dockerconfigjson secrets. The passing e2e tests prove that the already implemented username, password authentication option is still working.
# test.yaml
# For this to work, run: vault kv put secret/test/mysql MYSQL_PASSWORD=3xtr3ms3cr3t
# Decoded structure of data:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": "vault:secret/data/test/mysql#MYSQL_PASSWORD"
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: broken-thing
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6ImRtRjFiSFE2YzJWamNtVjBMMlJoZEdFdmRHVnpkQzl0ZVhOeGJDTk5XVk5SVEY5UVFWTlRWMDlTUkE9PSJ9fX0=

After mutation:

image 
# test2.yaml
# Decoded structure of data:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": {
#         "type": "service_account",
#         "project_id": "fake-project"
#       }
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: docker-secret
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6eyJ0eXBlIjoic2VydmljZV9hY2NvdW50IiwicHJvamVjdF9pZCI6ImZha2UtcHJvamVjdCJ9fX19

After mutation:

image 
# test3.yaml
# For this to work, run: vault kv put secret/test/aws AWS_SECRET_ACCESS_KEY=s3cr3t
# Decoded structure:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": "vault:secret/data/test/aws#AWS_SECRET_ACCESS_KEY"
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: aws-key-secret
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6ImRtRjFiSFE2YzJWamNtVjBMMlJoZEdFdmRHVnpkQzloZDNNalFWZFRYMU5GUTFKRlZGOUJRME5GVTFOZlMwVloifX19

After mutation:

image

e2e-secret after mutation:

image

@csatib02
feat: support _json_key when mutating docker credentials
a8d7f5c 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02 csatib02 added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 11, 2024
@csatib02 csatib02 self-assigned this Jun 11, 2024
@csatib02 csatib02 requested a review from a team as a code owner June 11, 2024 13:27
@github-actions github-actions bot added the size/M Denotes a PR that changes 100-499 lines label Jun 11, 2024
@csatib02 csatib02 removed the request for review from a team June 11, 2024 13:27
@csatib02 csatib02 merged commit 4850584 into main Jun 25, 2024
26 checks passed
@csatib02 csatib02 deleted the feat/support-_json_key-when-mutating-docker-credentials branch June 25, 2024 06:54
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ramizpolic ramizpolic ramizpolic approved these changes

@sagikazarmark sagikazarmark Awaiting requested review from sagikazarmark

@akijakya akijakya Awaiting requested review from akijakya

Assignees

@csatib02 csatib02

Labels
kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 100-499 lines
Projects
None yet
Milestone
No milestone
2 participants
@csatib02 @ramizpolic