Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets #3

Merged
merged 67 commits into from
Feb 22, 2024
Merged

Secrets #3

Show file tree
Hide file tree
Changes from 65 commits
Commits
Show all changes
67 commits
Select commit Hold shift + click to select a range
c5f9bfc
Add flake
Reasonable-Solutions Jan 15, 2024
bdf1896
wip add a little data model for secrets
Reasonable-Solutions Jan 15, 2024
6af94de
stub out client
Reasonable-Solutions Jan 15, 2024
987886c
Secrets: Add graphql schema
Reasonable-Solutions Jan 15, 2024
bc442b2
secret: generate
Reasonable-Solutions Jan 15, 2024
67beb52
secrets: Generate with input types
Reasonable-Solutions Jan 15, 2024
0267104
secrets: use input types!
Reasonable-Solutions Jan 15, 2024
7ef8daa
secrets: Add a client for getting lists of secrets
Reasonable-Solutions Jan 15, 2024
dda9259
secrets: correct signatures for mutations, add some todos
tronghn Jan 16, 2024
fa79204
secrets: naive implementation of k8s client
tronghn Jan 16, 2024
527eaf7
secrets: initial implementation of resolvers
tronghn Jan 16, 2024
d680ac9
secrets: add fake secret data to k8s
tronghn Jan 16, 2024
033d734
secrets: static secrets and hardcoded user
tronghn Jan 16, 2024
5d4bdc1
secrets: fake resolver on a per-environment basis
Reasonable-Solutions Jan 17, 2024
c03f499
secrets: Make fake data more better
Reasonable-Solutions Jan 17, 2024
59466fe
Secrets: Remember to start the informer for secrets
Reasonable-Solutions Jan 17, 2024
98d6b60
Secrets: Use informer
Reasonable-Solutions Jan 17, 2024
3acbd27
Secrets: cant unstructured to secretsv1
Reasonable-Solutions Jan 17, 2024
e604300
secrets: hack for fake secret, begin implementing delete
tronghn Jan 17, 2024
49d7f60
Secrets: resolve some todos!
Reasonable-Solutions Jan 17, 2024
efd0865
secrets: use built-in cmp for sort, safe access for informers/cliense…
tronghn Jan 18, 2024
9fb361d
Secrets: Make save go
Reasonable-Solutions Jan 18, 2024
75b5393
Secrets: Add impersonation
Reasonable-Solutions Jan 22, 2024
08b9065
Secrets: Add secrets to app
Reasonable-Solutions Jan 22, 2024
bea4a21
Secrets: Add secret fields to local apps
Reasonable-Solutions Jan 23, 2024
32935b5
Secrets: Add secrets to app model as a []string
Reasonable-Solutions Jan 23, 2024
4797013
Secrets: Add reverse lookups for apps for secrets
Reasonable-Solutions Jan 23, 2024
e847af9
secrets: read the whole secret
tronghn Jan 24, 2024
0d5c872
auth/iap: revert workaround
tronghn Jan 24, 2024
8a88e39
secrets: preserve existing annotations/labels
tronghn Jan 24, 2024
216281b
secrets: filter out irrelevant secrets
tronghn Jan 24, 2024
c23f1be
secrets: correct filter
tronghn Jan 24, 2024
9b9a273
secrets: todos for authz
tronghn Jan 24, 2024
94f6e93
Secrets: Look up groups for users for impersonation
Reasonable-Solutions Jan 24, 2024
525c691
Secrets: A helpful comment about local dev
Reasonable-Solutions Jan 24, 2024
b1728bd
secrets: add some todos
tronghn Jan 25, 2024
0a23096
database: extract paginated variants for GetUserTeams
tronghn Jan 25, 2024
1df4f97
secrets: simplify team filtering for impersonation client
tronghn Jan 25, 2024
78bca53
secrets: verify actor team role for resolvers
tronghn Jan 25, 2024
e265b01
secrets: refactoring, overwrite annotations/labels instead
tronghn Jan 26, 2024
5d78135
secrets: check management status for update and delete
tronghn Jan 26, 2024
9822bca
secrets: todos for validation
tronghn Jan 26, 2024
34c1eef
Secrets: Add custom errors for Secrets handling
Reasonable-Solutions Jan 26, 2024
4f376c0
Secrets: Add errors for key and secret name validation
Reasonable-Solutions Jan 26, 2024
d1c6fa8
Secrets: Implement endpoint for Get Secret name team env
Reasonable-Solutions Jan 26, 2024
eea2f67
secrets: extract data validation
tronghn Jan 30, 2024
5ae79ab
secrets: improve error message for invalid name
tronghn Jan 30, 2024
4baf359
Secrets: add more toolchain
Reasonable-Solutions Jan 31, 2024
2ece4b8
secrets: rename sqlc imports, get group email directly from team
tronghn Jan 31, 2024
579f0ac
secrets: correct validation for data keys
tronghn Jan 31, 2024
df5c723
authz: refactor team membership check
tronghn Feb 1, 2024
f72c5dc
style: address nitpicks
tronghn Feb 2, 2024
343a881
k8s: explicit nil check for group email
tronghn Feb 2, 2024
b5c5f5b
secrets: simplify append, deduplicate nil check
tronghn Feb 2, 2024
3118514
secrets: wip graphql query/types
tronghn Feb 5, 2024
27e9352
Secrets: move graph nodes around
Reasonable-Solutions Feb 5, 2024
0a6fdf5
secrets: return correct secrets for secrets field in apps
tronghn Feb 6, 2024
0727dc9
secrets: correct field name for input tuple
tronghn Feb 6, 2024
1be016c
secrets: return some metadata for secret, add reloader annotation
tronghn Feb 8, 2024
ed3a644
local: add data for devteam
tronghn Feb 9, 2024
8fd377e
secrets: add team field to type, refactor apps field resolver
tronghn Feb 9, 2024
bf81a09
secrets: return flat list instead of grouping by environment
tronghn Feb 12, 2024
e5b3bd1
move flake to .configs
Reasonable-Solutions Feb 15, 2024
8b31120
secrets: rename SecretTupleInput to VariableInput
tronghn Feb 21, 2024
de5b8ef
all: generate
tronghn Feb 21, 2024
ebae003
add .envrc to .gitignore
tronghn Feb 21, 2024
2ef3098
secrets: address feedback from review
tronghn Feb 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .configs/flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions .configs/flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
description = "Example Go development environment for Zero to Nix";

# Flake inputs
inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; };

# Flake outputs
outputs = { self, nixpkgs }:
let
# Systems supported
allSystems = [
"x86_64-linux" # 64-bit Intel/AMD Linux
"aarch64-linux" # 64-bit ARM Linux
"x86_64-darwin" # 64-bit Intel macOS
"aarch64-darwin" # 64-bit ARM macOS
];

# Helper to provide system-specific attributes
forAllSystems = f:
nixpkgs.lib.genAttrs allSystems
(system: f { pkgs = import nixpkgs { inherit system; }; });
in {
# Development environment output
devShells = forAllSystems ({ pkgs }: {
default = pkgs.mkShell {
# The Nix packages provided in the environment
packages = with pkgs; [
go
gotools # Go tools like goimports, godoc, and others
gopls
asdf
];
};
});
};
}
1 change: 1 addition & 0 deletions .envrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
use flake .configs/
77 changes: 77 additions & 0 deletions data/k8s/dev/devteam/deploy-canary.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,83 @@ metadata:
resourceVersion: "3701834314"
uid: 91ba6c9d-0199-4123-aff6-aa27ce5d2056
spec:
envFrom:
- secret: my-secret
- secret: other-secret
- configMap: my-config-map
filesFrom:
- secret: my-secret
mountPath: /var/secret
env:
- name: DEPLOY_START
value: "1704981602000000000"
image: ghcr.io/nais/testapp/testapp:2020-02-25-f61e7b7
liveness:
path: /ping
port: 8080
prometheus:
enabled: true
path: /metrics
readiness:
path: /ping
replicas:
max: 1
min: 1
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
skipCaBundle: true
status:
conditions:
- lastTransitionTime: "2024-01-11T14:00:04Z"
message: complete
reason: RolloutComplete
status: "True"
type: Ready
- lastTransitionTime: "2024-01-11T14:00:04Z"
message: complete
reason: RolloutComplete
status: "False"
type: Stalled
- lastTransitionTime: "2024-01-11T14:00:04Z"
message: complete
reason: RolloutComplete
status: "False"
type: Reconciling
correlationID: f8c04f82-6a84-4a8e-9f8b-563b5894d0cf
deploymentRolloutStatus: complete
rolloutCompleteTime: 1704981612597504354
synchronizationHash: 7fc5fa83f2ae4eaa
synchronizationState: RolloutComplete
synchronizationTime: 1704981603962494011
---
apiVersion: nais.io/v1alpha1
kind: Application
metadata:
annotations:
deploy.nais.io/client-version: 2023-01-23-7071cd7
nais.io/deploymentCorrelationID: f8c04f82-6a84-4a8e-9f8b-563b5894d0cf
nais.io/skipDeploymentMessage: "true"
creationTimestamp: "2023-01-20T10:51:47Z"
finalizers:
- naiserator.nais.io/finalizer
generation: 407981
name: nais-deploy-chicken
resourceVersion: "3701834314"
uid: 91ba6c9d-0199-4123-aff6-aa27ce5d2056
spec:
envFrom:
- secret: my-secret
- secret: other-secret
- configMap: my-config-map

filesFrom:
- secret: my-secret
mountPath: /var/secret
env:
- name: DEPLOY_START
value: "1704981602000000000"
Expand Down
42 changes: 42 additions & 0 deletions data/k8s/dev/devteam/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
annotations:
foo: bar
bar: baz
console.nais.io/last-modified-at: "2021-01-01T00:00:00Z"
console.nais.io/last-modified-by: "[email protected]"
labels:
nais.io/managed-by: console
foo: bar
bar: baz
name: my-secret
type: Opaque
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
annotations:
hunter2.nais.io/last-modified: "2021-01-01T00:00:00Z"
hunter2.nais.io/last-modified-by: "[email protected]"
hunter2.nais.io/secret-version: "1"
labels:
nais.io/created-by: hunter2
name: my-secret-hunter2
type: Opaque
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
name: my-kubectl-secret
type: Opaque
11 changes: 11 additions & 0 deletions data/k8s/dev/devteam/topic.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
apiVersion: kafka.nais.io/v1
kind: Topic
metadata:
name: aura
spec:
acl:
- access: read
team: aura
application: aura
pool: aiven
78 changes: 78 additions & 0 deletions data/k8s/dev/nais/deploy-canary.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,84 @@ metadata:
resourceVersion: "3701834314"
uid: 91ba6c9d-0199-4123-aff6-aa27ce5d2056
spec:
envFrom:
- secret: my-secret
- secret: other-secret
- configMap: my-config-map

filesFrom:
- secret: my-secret
mountPath: /var/secret
env:
- name: DEPLOY_START
value: "1704981602000000000"
image: ghcr.io/nais/testapp/testapp:2020-02-25-f61e7b7
liveness:
path: /ping
port: 8080
prometheus:
enabled: true
path: /metrics
readiness:
path: /ping
replicas:
max: 1
min: 1
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
skipCaBundle: true
status:
conditions:
- lastTransitionTime: "2024-01-11T14:00:04Z"
message: complete
reason: RolloutComplete
status: "True"
type: Ready
- lastTransitionTime: "2024-01-11T14:00:04Z"
message: complete
reason: RolloutComplete
status: "False"
type: Stalled
- lastTransitionTime: "2024-01-11T14:00:04Z"
message: complete
reason: RolloutComplete
status: "False"
type: Reconciling
correlationID: f8c04f82-6a84-4a8e-9f8b-563b5894d0cf
deploymentRolloutStatus: complete
rolloutCompleteTime: 1704981612597504354
synchronizationHash: 7fc5fa83f2ae4eaa
synchronizationState: RolloutComplete
synchronizationTime: 1704981603962494011
---
apiVersion: nais.io/v1alpha1
kind: Application
metadata:
annotations:
deploy.nais.io/client-version: 2023-01-23-7071cd7
nais.io/deploymentCorrelationID: f8c04f82-6a84-4a8e-9f8b-563b5894d0cf
nais.io/skipDeploymentMessage: "true"
creationTimestamp: "2023-01-20T10:51:47Z"
finalizers:
- naiserator.nais.io/finalizer
generation: 407981
name: nais-deploy-chicken
resourceVersion: "3701834314"
uid: 91ba6c9d-0199-4123-aff6-aa27ce5d2056
spec:
envFrom:
- secret: my-secret
- secret: other-secret
- configMap: my-config-map

filesFrom:
- secret: my-secret
mountPath: /var/secret
env:
- name: DEPLOY_START
value: "1704981602000000000"
Expand Down
42 changes: 42 additions & 0 deletions data/k8s/dev/nais/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
annotations:
foo: bar
bar: baz
console.nais.io/last-modified-at: "2021-01-01T00:00:00Z"
console.nais.io/last-modified-by: "[email protected]"
labels:
nais.io/managed-by: console
foo: bar
bar: baz
name: my-secret
type: Opaque
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
annotations:
hunter2.nais.io/last-modified: "2021-01-01T00:00:00Z"
hunter2.nais.io/last-modified-by: "[email protected]"
hunter2.nais.io/secret-version: "1"
labels:
nais.io/created-by: hunter2
name: my-secret-hunter2
type: Opaque
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
name: my-kubectl-secret
type: Opaque
3 changes: 3 additions & 0 deletions data/k8s/superprod/nais/deploy-canary.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ metadata:
resourceVersion: "3701834314"
uid: 91ba6c9d-0199-4123-aff6-aa27ce5d2056
spec:
envFrom:
- secret: my-secret
- secret: other-secret
env:
- name: DEPLOY_START
value: "1704981602000000000"
Expand Down
42 changes: 42 additions & 0 deletions data/k8s/superprod/nais/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
annotations:
console.nais.io/last-modified-at: "2024-01-13T13:37:00Z"
console.nais.io/last-modified-by: "[email protected]"
labels:
nais.io/managed-by: console
name: my-secret
type: Opaque
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
annotations:
console.nais.io/last-modified-at: "2024-02-01T09:13:00Z"
console.nais.io/last-modified-by: "[email protected]"
labels:
nais.io/managed-by: console
name: my-other-secret
type: Opaque
---
apiVersion: v1
data:
foo: YmFyCg==
bar: YmFyCg==
kind: Secret
metadata:
annotations:
console.nais.io/last-modified-at: "2024-02-01T12:59:59Z"
console.nais.io/last-modified-by: "[email protected]"
labels:
nais.io/managed-by: console
name: other-secret
type: Opaque
---
Loading