[quorum] integrate aws secrets manager #2623
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
saurabhkumarkardam
requested review from
sownak,
suvajit-sarkar and
adityajoshi12
as code owners
sownak
reviewed
Sep 18, 2024
platforms/quorum/charts/quorum-genesis/templates/genesis-job-init.yaml
Outdated
Show resolved
Hide resolved
sownak
requested changes
Sep 18, 2024
|
The keys will conflict if same platforms are deployed using the same secret manager region. See if the keys can be made unique using the namespace |
saurabhkumarkardam
force-pushed
the
quorum-2200
branch
from
9e3e8f1
to
b315d2b
Compare
This PR will allow the use of the AWS service called Secrets Manager to store sensitive information, similar to how we use HashiCorp Vault for the same purpose. - A guide named "integrate-aws-secrets-manager-with-eks.md" has been introduced to help users securely connect their EKS cluster with Secrets Manager using OIDC. - The Quorum master README has been updated to guide users on how to deploy a network with AWS Secrets Manager. - A Python script has been added that contains the CRUD operation code for AWS Secrets Manager, injecting the script into the container via ConfigMap. - The Quorum Genesis and Node charts code have been updated to support Secrets Manager. fixes hyperledger#2200 Signed-off-by: saurabhkumarkardam <[email protected]>
saurabhkumarkardam
force-pushed
the
quorum-2200
branch
from
b315d2b
to
909e108
Compare
sownak
requested changes
Sep 20, 2024
| @@ -31,12 +31,23 @@ spec: | |||
| image: {{ .Values.image.hooks.repository }}:{{ .Values.image.hooks.tag }} | |||
| securityContext: | |||
| runAsUser: 0 | |||
| {{- if eq .Values.global.vault.type "hashicorp" }} | |||
| {{- if or (eq .Values.global.vault.type "hashicorp") (and (.Values.global.cluster.cloudNativeServices) (eq .Values.global.cluster.provider "aws")) }} | |||
There was a problem hiding this comment.
Conditions are too complex.
- check first if cloudNativeServices = true, then check if provider = aws or azure etc
- If cloudNativeServices = false, only the vault.type = hashicorp or Kubernetes
- There cannot be a situation where cloudNativeServices=true and vault.type=hashicorp, if cloudNativeServices = true, vault.type is ignored. Add all cloud KMS related keys under global.cluster itself
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit to be reviewed
feat(quorum): integrate aws secrets manager
fixes #2200