Add secret option to input vars #339
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
Skipped a step and went straight to a PR since this was a simple change. One question I'm sure that we'll get: we want to separate how the field is displayed from whether or not it's a secret that should be treated differently. This way we can have the appropriate input display in the UI. So we don't want to just assume all password fields are secret or not allow other input types to be secret, such as inputs for CA certificates private keys. |
There was a problem hiding this comment.
This look to me, using a question as a description is strange at first but this is the norm when looking at the other boolean flags defined in the package spec.
I assume this is only additiona logic and we can communicate that change with the integrations teams and they can start using it.
@joshdover maybe create an issue to audit for common secrets fields:
- password
- key
- token
There might be some UI definition that needs to happen, when you are editing an integration that has already a private key defined, you want to see that we have something set for the field but not the actual value. |
I will put together a design doc for this end-to-end secret storage including UX around this. |
|
@pierrehilbert @jen-huang we should let @joshdover work on this design doc first but then lets make sure that Control Plane and Fleet UI are aligned on this feature. |
🌐 Coverage report
|
There was a problem hiding this comment.
Missign a new changelog entry for this feature.
One doubt about this feature, what is the behaviour in Kibana for those versions that do not support this secret ? Should we just allow this secret field from 2.9.0 or from certain kibana version ?
cc @jsoriano
My concern is about that users/developers setting a field as |
spec/changelog.yml
Outdated
| - version: 2.8.0-next | ||
| changes: | ||
| - description: Add ability to specify secret vars | ||
| type: enhancement | ||
| link: https://github.com/elastic/package-spec/pull/339 |
There was a problem hiding this comment.
This release was already published, please update your branch with main, there should be 2.8.1-next in the changelog.
https://github.com/elastic/package-spec/blob/e5b5ef533002a09fa1c0de1abd8ed6a467935402/spec/changelog.yml
| @@ -83,6 +83,12 @@ spec: | |||
| default: false | |||
| examples: | |||
| - true | |||
| secret: | |||
There was a problem hiding this comment.
Not sure about removing this field in previous versions using a JSON Patch.
If we do so, probably it should be for 2.9.0 (and it would be needed to update changelog too) ? Would it be better to keep for all versions for security reasons ? @jsoriano WDYT ?
versions:
- before: 2.9.0 # other version 2.0.0 ?
patch:
- op: remove
path: /definitions/vars/items/properties/secret
There was a problem hiding this comment.
+1 to add this to encourage updating the spec (and to update the version in the changelog).
|
@juliaElastic Mario and I have had a chat about this, I think we will need to restrict it so that a package developer can only set a var as secret if they have a kibana version condition of 8.9 or greater. we have function similar to this e.g for checking runtime fields https://github.com/elastic/package-spec/blob/main/code/go/internal/validator/semantic/validate_minimum_kibana_version.go#L68 However we will need one to iterate over all of the vars in a package, including package level, input level and stream level vars and see if any is set to secret. I don't think I am going to have time to do this before I go I want to focus on getting the other PRs merged. @mrodm might be able to help with this next sprint if Jill feels she has enough on her plate? |
|
Thanks for the update. Do we consider the condition as a requirement for this pr or should we raise a separate issue? |
|
@juliaElastic Thanks for the ping, as Mark is out @mrodm is the only one that can help us here. |
In general I share the concern with Mario, it may be misleading for package developers to have an option silently ignored. But thinking about this specific case, it may be better to go on without the version check. If we force package developers to update the kibana version to use |
Thanks @jsoriano for your comments! |
jillguyonnet
force-pushed
the
secret-vars
branch
from
020ef91 to
a396897
Compare
jillguyonnet
force-pushed
the
secret-vars
branch
2 times, most recently
from
2b7c758 to
c47faa9
Compare
|
Hi @mrodm - I've pushed the changes and fixed the conflicts - can you have another look please? |
jillguyonnet
force-pushed
the
secret-vars
branch
from
c47faa9 to
4441593
Compare
|
@jsoriano Are you OK with merging this? |
What does this PR do?
This adds a new
secretoption to input vars to support securely stored values. These values can only be referenced via the upcomingsecretprovider in Elastic Agent. See https://github.com/elastic/ingest-dev/issues/999 for more context.Why is it important?
We need to securely store, transmit, and redact (eg. in a diagnostic) sensitive fields in agent policies.
Checklist
test/packagesthat prove my change is effective.versions/N/changelog.yml.