Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add vault-kv relation #30

Merged
merged 14 commits into from
Sep 28, 2023
Merged

feat: add vault-kv relation #30

merged 14 commits into from
Sep 28, 2023

Conversation

gboutry
Copy link
Contributor

@gboutry gboutry commented Aug 21, 2023
edited
Loading

Description

This PR introduces the Vault-kv relation to vault-k8s.

The vault-kv interface can be discussed here

This interface is a port from the machine charm interface with some note worthy differences:

  • Secret role id is no longer access by the requirer through a wrapped token
  • The provider side shall fill in the vault_url in the app databag
  • isolated is not allowed anymore as this concept is not really translatable to k8s charms

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that validate the behaviour of the software
  • I validated that new and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@gboutry gboutry requested a review from a team as a code owner August 21, 2023 13:17
gruyaume
gruyaume requested changes Aug 21, 2023
View reviewed changes
Copy link
Collaborator

@gruyaume gruyaume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got a couple of comments + let's make sure we review/merge the charm-relation-interfaces pr before this one

lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
tests/unit/test_charm.py Outdated Show resolved Hide resolved
tests/unit/test_charm.py Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
@gboutry gboutry marked this pull request as draft August 22, 2023 13:01
@gboutry
Copy link
Contributor Author

gboutry commented Aug 22, 2023

Convert to draft to make sure interface PR is merged first

ghislainbourgeois
ghislainbourgeois requested changes Aug 24, 2023
View reviewed changes
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
src/charm.py Outdated Show resolved Hide resolved
@gboutry gboutry force-pushed the feat/secrets-backend branch from 72e5bb0 to 5d2f301 Compare August 25, 2023 08:34
@gboutry
Copy link
Contributor Author

gboutry commented Aug 25, 2023

Force push is only rebasing on main, with no noticeable change (except the part on vault SVC to align with main).

Will now take into account the comments on interface, and on this pull request. Thank you for all your feedback.

gboutry
gboutry commented Aug 25, 2023
View reviewed changes
src/vault.py Show resolved Hide resolved
@gboutry gboutry force-pushed the feat/secrets-backend branch from 1dd11d0 to c0c0c4b Compare September 15, 2023 16:16
@gboutry
Copy link
Contributor Author

gboutry commented Sep 15, 2023

Still WIP, mainly a rebase over main branch + integration of charm-relation-interface

@gboutry gboutry force-pushed the feat/secrets-backend branch from c0c0c4b to 02f6a59 Compare September 15, 2023 16:17
@gboutry gboutry changed the title feat: add secrets backend relation feat: add vault-kv relation Sep 15, 2023
@gboutry gboutry force-pushed the feat/secrets-backend branch from 02f6a59 to 755a2c1 Compare September 20, 2023 13:51
@gboutry
[Feat] Implement vault-kv relation
3a4d31f
@gboutry
[Feat] Add ca_certificate to vault-kv relation
c564d67
@gboutry
[Fix] Store vault kv secret ids in peer relationship
6ca9c1a 
Getting a secret by label only returns the short form of a secret id
(without the model's UUID), which is fine when the two applications are
inside the same model, but leads to error when in different models.

Creating a secret always returns the long form of a secret id,
therefore, storing the secret id in the peer relationship with key:
label, value: secret id, to ensure long form of secret id.
@gboutry gboutry force-pushed the feat/secrets-backend branch from 755a2c1 to 6ca9c1a Compare September 20, 2023 13:52
@gboutry
Copy link
Contributor Author

gboutry commented Sep 20, 2023

Rebase on main to get Ingress address into vault server's certificate.

Adding ca_certificate as relation data, cf: canonical/charm-relation-interfaces#105

Storing secret ids in peer relationship because getting secret by label only lead you (after a grant) to get a secret id in short form, which does not work over CMRs

@gboutry gboutry force-pushed the feat/secrets-backend branch from c1ca4e1 to ca40902 Compare September 21, 2023 13:22
@gboutry gboutry marked this pull request as ready for review September 21, 2023 14:54
gruyaume
gruyaume requested changes Sep 21, 2023
View reviewed changes
src/charm.py Outdated Show resolved Hide resolved
src/charm.py Outdated Show resolved Hide resolved
src/charm.py Show resolved Hide resolved
src/vault.py Outdated Show resolved Hide resolved
@gboutry
[Fix] Only enable approle if needed
2207c97 
Only enable the approle auth method if at least one vault-kv relation
was created.
@gboutry
[Fix] Improve logging and policy application
df0e267 
Remove any modification to unit status from the kv handler, replaced by
logging calls.
Move KV policy to dedicated file.
@gboutry gboutry force-pushed the feat/secrets-backend branch from af3b700 to df0e267 Compare September 22, 2023 09:21
gruyaume
gruyaume requested changes Sep 25, 2023
View reviewed changes
Copy link
Collaborator

@gruyaume gruyaume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good, got a couple more comments though. Feels like we're almost there :)

lib/charms/vault_k8s/v0/vault_kv.py Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
tests/unit/test_charm.py Outdated Show resolved Hide resolved
@gboutry
[Fix] Implement schema validation with pydantic
7a4fc9d 
Use schema defined in charm-relation-interface/vault-kv to validate
schema.

Rename property-like methods on Requirer object to getters.
@gboutry gboutry force-pushed the feat/secrets-backend branch from a10cbfd to 7a4fc9d Compare September 25, 2023 16:26
@gboutry gboutry force-pushed the feat/secrets-backend branch from 7aa4342 to 33c6019 Compare September 26, 2023 07:23
gruyaume
gruyaume approved these changes Sep 27, 2023
View reviewed changes
Copy link
Collaborator

@gruyaume gruyaume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:)

lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
@gboutry
Update tests and docs, remove nonce from VaultKvRequires' init
eec4d3a 
Simplify events, update documentation, and show how to use a secret to
store the unit's nonce.
ghislainbourgeois
ghislainbourgeois requested changes Sep 27, 2023
View reviewed changes
Copy link
Contributor

@ghislainbourgeois ghislainbourgeois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like a small change, otherwise LGTM

lib/charms/vault_k8s/v0/vault_kv.py Outdated Show resolved Hide resolved
src/charm.py Outdated Show resolved Hide resolved
@gboutry gboutry force-pushed the feat/secrets-backend branch from e9a751c to 38cea6f Compare September 28, 2023 08:54
gruyaume
gruyaume requested changes Sep 28, 2023
View reviewed changes
tests/unit/test_charm.py Show resolved Hide resolved
tests/unit/test_charm.py Outdated Show resolved Hide resolved
gruyaume
gruyaume requested changes Sep 28, 2023
View reviewed changes
tests/unit/test_charm.py Outdated Show resolved Hide resolved
@gboutry
[Tests] Reduce tests content
a4157da 
Some tests were trying to do / assert many things outside the goal of
the test, remove any superfluous testing.
@ghislainbourgeois ghislainbourgeois merged commit dd47cec into canonical:main Sep 28, 2023
@gboutry gboutry deleted the feat/secrets-backend branch September 28, 2023 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gruyaume gruyaume gruyaume approved these changes

@ghislainbourgeois ghislainbourgeois ghislainbourgeois approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gboutry @ghislainbourgeois @gruyaume