Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support excluding _raw from the destination #546

Merged
merged 60 commits into from
Feb 7, 2024
Merged

Support excluding _raw from the destination #546

merged 60 commits into from
Feb 7, 2024

Conversation

benashz
Copy link
Collaborator

@benashz benashz commented Jan 10, 2024
edited
Loading

Add new transformation configurable excludeRaw to all syncable secret CRDs which controls whether or not the the _raw secret data is included in the destination secret.

Example:

spec:
  destination:
    transformation:
      excludeRaw: true

Adds a new commandline flag, -global-transformation-options, that takes a comma delimited set of options that provide control over global rendering options. The only option is exclude-raw.

  -global-transformation-options string
        Set global rendering options as a comma delimited string. Valid values are: [exclude-raw]

The global rendering options can also be set from Helm chart values:

--set 'controller.manager.globalTransformationOptions.excludeRaw'

Closes #424

benashz added 21 commits October 31, 2023 16:57
@benashz
Add Go templating support
0641921 
Extends VSO to support configuring Go templates that will be rendered to
the K8s Secret data. Template specs can be configured directly in a
syncable secret custom resource, or can be shared via references to
external ConfigMap resources. Templates can be composed of other
templates, and optionally rendered as a K8s Secret data value. The
rendered template name is used as the key to the rendered data.

Templating support also includes a large subset of the hermetic Sprig
text functions that can be used to handle various encoding/decoding
tasks, map manipulations, etc.

In addition to template support, it is now possible to filter top level
secret data fields based on include/exclude regex patterns. Filters can
be used in conjunction with templating, and are meant to augment the
overall templating experience. Template fields are not considered during
field filtering.
@benashz
Fix HVSAppSecret metadata unmarshal'ing
59de331
@benashz
Add Transformation top level structure
2291579 
Contains all Secret data transformation configuration.
@benashz
Drop unused TemplateSpecBase, re-locate Transformation
1fb5e83
@benashz
Reduce code duplication when making K8s data
93f379e 
Other fixes
@benashz
Merge branch 'main' into VAULT-21159/add-support-for-secret-data-temp…
9b53f57 
…lating
@benashz
Extend SecretInput to include attached labels and annotations
983d4f6 
- update the demo to include templated values
- other fixes etc...
@benashz
Breaking changes!
9ab331c 
Add first class SecretTransformation CRD and controller

Drop support for getting shared template/tranformation bits from a
ConfigMap.
@benashz
Merge config/rbac/role.yaml into the chart
0bb2d8f
@benashz
Reconcile syncable secrets on annotation/label changes
b4ed633
@benashz
WIP: add extra template test
1899687
@benashz
Merge branch 'main' into VAULT-21159/add-support-for-secret-data-temp…
183baf7 
…lating
@benashz
Merge branch 'main' into VAULT-21159/add-support-for-secret-data-temp…
315008d 
…lating
@benashz
Misc updates
3728afc
@benashz
Merge branch 'main' into VAULT-21159/add-support-for-secret-data-temp…
e5a8db6 
…lating
@benashz
Merge branch 'main' into VAULT-21159/add-support-for-secret-data-temp…
39077f1 
…lating
@benashz
update api-reference.md
df2dfbc
@benashz
Cleanup after semantic merge error
53c9ff1
@benashz
Merge branch 'main' into VAULT-21159/add-support-for-secret-data-temp…
d50e88a 
…lating
@benashz
Update generated secrettransformation roles
bbff490
@benashz
WIP: make the raw data inclusion optional
750517f
@benashz benashz added this to the v0.5.0 milestone Jan 10, 2024
@rgarcia89
Copy link

Are there any negative implications with the exclude? If not, I wonder why the exclusion is not set to true by default.

@benashz
Copy link
Collaborator Author

benashz commented Jan 11, 2024

Are there any negative implications with the exclude? If not, I wonder why the exclusion is not set to true by default.

@rgarcia89 not for VSO per-se but there could be for any user that is currently relying on this feature. I can see how having to configure this on all CRs could be burdensome, so it is probably worth making the feature opt-in somehow.

@rgarcia89
Copy link

rgarcia89 commented Jan 11, 2024
edited
Loading

In that case it would be more attractive to make the default parameter configurable. Like the defaultAuthMethod for example.

@benashz benashz force-pushed the VAULT-21377/make-raw-data-optional branch from 1434971 to 3292648 Compare January 11, 2024 20:05
@benashz
Copy link
Collaborator Author

benashz commented Jan 11, 2024

In that case it would be more attractive to make the default parameter configurable. Like the defaultAuthMethod for example.

@rgarcia89 made this a command line configurable as well. See the updated description for more details.

@benashz benashz force-pushed the VAULT-21377/make-raw-data-optional branch from 3292648 to b2c9ac7 Compare January 11, 2024 20:16
@benashz benashz linked an issue Jan 30, 2024 that may be closed by this pull request
Make _raw data in Kubernetes Secrets optional #424
Closed
@benashz benashz mentioned this pull request Jan 30, 2024
Merged
@benashz benashz force-pushed the VAULT-21377/make-raw-data-optional branch from 7bbb2d2 to d6fbc79 Compare January 31, 2024 20:22
benashz and others added 3 commits January 31, 2024 15:24
@benashz
Merge branch 'main' into VAULT-21159/add-support-for-secret-data-temp…
aa1f6b6 
…lating
@benashz
Revert some invalid changes
d707386 
Fixes:
- properly set the SyncableSecretMetaData.Name from ObjectMeta
- add tests for NewSyncableSecretMetaData()
@benashz
Merge branch 'VAULT-21159/add-support-for-secret-data-templating' int…
f5f851d 
…o VAULT-21377/make-raw-data-optional
@benashz benashz marked this pull request as ready for review February 1, 2024 21:28
@benashz benashz requested a review from a team as a code owner February 1, 2024 21:28
tomhjp
tomhjp reviewed Feb 2, 2024
View reviewed changes
chart/crds/secrets.hashicorp.com_hcpvaultsecretsapps.yaml Show resolved Hide resolved
docs/api/api-reference.md Outdated Show resolved Hide resolved
internal/helpers/template.go Outdated Show resolved Hide resolved
@benashz
Add GlobalTransformationOption structure
8f2fa91 
Factors out RenderOptionExcludeRaw global var to
GlobalTransformationOption struct.
@benashz benashz force-pushed the VAULT-21377/make-raw-data-optional branch from e2c5d32 to 8f2fa91 Compare February 2, 2024 19:14
@benashz benashz requested a review from tomhjp February 2, 2024 19:15
Base automatically changed from VAULT-21159/add-support-for-secret-data-templating to main February 7, 2024 19:42
@benashz benashz merged commit 1f6b2da into main Feb 7, 2024
43 checks passed
@benashz benashz deleted the VAULT-21377/make-raw-data-optional branch February 7, 2024 21:00
kishoregv pushed a commit to kishoregv/vault-secrets-operator that referenced this pull request Feb 12, 2024
@benashz @kishoregv
Support excluding _raw from the destination (hashicorp#546)
81c10a4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomhjp tomhjp tomhjp approved these changes

Assignees
No one assigned
Labels
secret-transformation
Projects
None yet
Milestone
v0.5.0
Development

Successfully merging this pull request may close these issues.

Make _raw data in Kubernetes Secrets optional
3 participants
@benashz @rgarcia89 @tomhjp