-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add support for Azure Key Vault secrets. #3112
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like a reasonably good start.
You should add some tests for this, but I’m not entirely sure how you would do so because the closest analogue to what you’ve implemented is pkg/cmd/awssecretsmanagertemplatefuncs.go
which also does not have tests.
assets/chezmoi.io/docs/user-guide/password-managers/azure-key-vault.md
Outdated
Show resolved
Hide resolved
assets/chezmoi.io/docs/user-guide/password-managers/azure-key-vault.md
Outdated
Show resolved
Hide resolved
I think it's OK to skip tests for this, as the functions are straightforward and it's not easy to mock out the Azure service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have things that I would like to see, but do not think that we need to have for a first version of this.
I think we can merge this tomorrow afternoon if you don’t make the changes I have suggested for multiple vaults, because there’s nothing wrong with single vault support.
Thanks. Give me until the end of the week to look into the multiple vault support. |
I’ll ping this on Friday afternoon if you haven’t update this before then with the plan of merging it Friday afternoon. If you prefer, we can merge this and add on the multiple vault support later. Like I said, nice (because I’m a bit of a completionist for this sort of thing), but not necessary. |
Could I request a change to the structure? Instead of:
Could you make it: azureKeyVault:
vaults:
- url: https://my-default-key-vault-url/
- name: sekrit_project
url: https://my-sekrit-project-vault-url/
For handling optional arguments to template functions, see for, example how they are handled in the |
Thanks for the input. Will implement like you suggested. |
After implementing the approach discussed I believe there is more elegant way on how to implement this. Note:
An Azure Key Vault comes with a globally unique hostname under the Microsoft owned domain vault.azure.net. The hostname is the name of the resource in the Azure portal and cannot be created if not globally unique. Examples:
This means we have enough with only hostname / vault name to construct the URL. The proposal is using the below structure in the config.
The parameters for the template function would look like this:
Example of different template function implementations.
The If the |
Thank you, your design is excellent. I really like it. The main / test-website check failure is unrelated to this PR. I think it's OK to remove the aliasing functionality as the vault names are short strings and the aliasing can be achieved with other template functions. |
I agree with @twpayne about the aliasing not being necessary since there’s a fixed name. I’ll put some comments in-line that I think could be used to simplify this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks amazing.
If we drop aliasing, we lose the value of having a list of defined vaults — and that’s OK, because you’ve confirmed that there’s one vault.azure.net
base domain for all instances.
My recommendation is to change the exposed configuration to DefaultVault string
(so azureKeyVault.defaultVault = "my-default-key-vault"
), but mostly keep your azureKeyVault
structure and functions because they do make most of it much easier.
I’m happy to make a follow-on PR if you’re wanting to be done with this originally simple change.
The rational behind the alias was the following assuming you use multiple vaults: Some users do not want to have the real vault name stored in version control and reference the alias defined in the configuration file. Security through obscurity basically. Also trivial, but if you want migrate to another vault and use aliases in all your templates, you only need to change the name in the configuration. But maybe that's just overkill. :) If we decide to drop the aliases we probably also can simplify the structure back to this.
We only have to specify a default and support for another vault would be the second parameter of the template function. My preference is to stick with the layout containing the alias as it leaves more flexibility for later if you need to add an additional option for a specific vault. |
I have no strong feelings either way on this, and your rationale is sound about the flexibility:
If, like with AWS, you are encouraged to have more than one Azure account or profile for separation of concerns, then I could see later adding a configuration option to identify the account or credential identifier. If this is possible, then we should keep the current structure even if we just drop With respect to aliasing, it is possible to do that with azureKeyVault:
defaultVault: my-default-vault
data:
akv:
innocuous: take-over-the-world
This is sort of what I do with some of my secrets, as home/private_dot_config/gh/private_dot_hosts.yml.tmpl shows. |
Please check out the latest commit. The summary is that I basically removed the alias approach and simplified it more based on the provided feedback. I think it's ready to get merged to main now. Thanks for the really good feedback and patience. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is very good and you’ve been quite patient with a picky code review.
I have suggested a couple of small wording changes that aren’t urgent or required, but may improve the documentation / UX.
assets/chezmoi.io/docs/reference/templates/azure-key-vault-functions/azureKeyVault.md
Outdated
Show resolved
Hide resolved
Thank you very much for this excellent code @catay and for the thorough reviews @halostatue! The main / test-website build error is mkdocs/mkdocs#3310 / fralau/mkdocs-mermaid2-plugin#80 and unrelated to this PR. I'll merge this when the remaining checks are complete. |
Thanks. I just pushed a PR for the workflow fix but it seems you beat me to it :) |
@catay I’m not sure what the "This branch cannot be rebased due to too many changes", but I suspect that if you were to rebase this and squash the various commits together, we can have one good commit that can be merged/rebase-merged cleanly. |
OK, #3120 is now merged. Would you mind rebasing on the latest |
Rebase branch on master done. |
No description provided.