Support GCP KMS credentials using decryption secretRef #635
Conversation
somtochiama
force-pushed
the
gcp-kms-cred
branch
from
f62a25e to
abb843b
Compare
internal/sops/keyservice/server.go
Outdated
| @@ -106,6 +111,16 @@ func (ks Server) Encrypt(ctx context.Context, req *keyservice.EncryptRequest) (* | |||
| Ciphertext: ciphertext, | |||
| }, nil | |||
| } | |||
| case *keyservice.Key_GcpKmsKey: | |||
| if ks.gcpCredsJSON != nil { | |||
There was a problem hiding this comment.
Instead of making the credentials optional, I would opt for making the credentials optional for the client within the key. Falling back to defaults (without credentials) there.
In retrospect, that would also have been better for the others that are currently falling back, as SOPS is slow in client updates which we already control.
| })) | ||
| } | ||
|
|
||
| func TestMasterKey_createCloudKMSService(t *testing.T) { |
There was a problem hiding this comment.
You can quite easily mock the Google Cloud API for testing purposes to add further tests, this is also done in the source-controller.
hiddeco
added
enhancement
hiddeco
changed the title
hiddeco
changed the title
|
@somtochiama just wanted to let you know that this is in my queue to get reviewed. But given it would require a minor bump, I am giving priority to some things that can end up patches first. Will get to this on Thursday, hopefully :-) |
There was a problem hiding this comment.
Please explain in the API docs how users can setup static credentials for GCP https://github.com/fluxcd/kustomize-controller/blob/main/docs/spec/v1beta2/kustomization.md#decryption-secret-reference
somtochiama
force-pushed
the
gcp-kms-cred
branch
3 times, most recently
from
f305cab to
73ceb26
Compare
|
@somtochiama please rebase |
hiddeco
force-pushed
the
gcp-kms-cred
branch
2 times, most recently
from
5de2996 to
106aae7
Compare
somtochiama
force-pushed
the
gcp-kms-cred
branch
2 times, most recently
from
cabfae0 to
d4e3cd2
Compare
hiddeco
force-pushed
the
gcp-kms-cred
branch
4 times, most recently
from
eca5359 to
ffeca02
Compare
This adds a SOPS GCP KMS key source which makes use of the latest GCP client, and supports both injection of master key credentials and a default client making use of environmental runtime values. The implementation fully replaces SOPS', and is covered with compatability tests. Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
This temporarily disables the integration tests as we are waiting for the CNCF to provide us with GCP credits. Signed-off-by: Hidde Beydals <hello@hidde.co>
There was a problem hiding this comment.
LGTM. Thanks a lot for following up on the SDK change and tests @somtochiama 🥇
This pull request adds support for specifying the credentials for authenticating to GCP KMS with the decryption secret.
GCP KMS credentials should be provided under
sops.gcp-kmsFix: #360
Ref: #324