Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] remove sensitive data from MR and resolve references just before use to not leak secrets data in to MR after resolved. #252

Closed
wants to merge 36 commits into from

Conversation

mad01
Copy link

@mad01 mad01 commented May 22, 2024

One implementation to fix #223 to not render sensitive data in to the MR from a secret rendered

Description of your changes

Fixes #

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

@mad01
Copy link
Author

mad01 commented May 22, 2024

i have some failing tests left that i have to fix. and some todos to remove

haarchri and others added 29 commits May 23, 2024 11:38
Signed-off-by: Christopher Haar <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Christopher Haar <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: rladdukodiraghav <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: rladdukodiraghav <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: rladdukodiraghav <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: ravilr <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: ravilr <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: ravilr <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
* Add `ObservedObjectCollection` API type

Objects in the collection are defined by:
* GVK
* optional namespace
* label selector

The objects are fetched using the specified provider config
and for the matched objects the provider creates counterpart
observe-only objects in the local cluster.

The created objects are owned by the collection resource and
reconciled as usual by the provider. They are labeled with a common label, so that they can be fetched easily.
The label is discoverable by reading  `.status.membershipLabel` field of `ObservedObjectCollection`.

Signed-off-by: Predrag Knezevic <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
See crossplane-contrib#233

Signed-off-by: Jack Jackson <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Co-authored-by: Jared Watts <[email protected]>
Signed-off-by: Jack Jackson <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
turkenh and others added 7 commits May 23, 2024 11:38
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: Hasan Turken <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
Signed-off-by: ezgidemirel <[email protected]>
Signed-off-by: Alexander Brandstedt <[email protected]>
observer loop. This to stop secrets payload from ending in the MR
and instead resolve one moretime for the secret just before use in
Create/Update/Delete funcs

Signed-off-by: Alexander Brandstedt <[email protected]>
@mad01 mad01 closed this May 23, 2024
@mad01 mad01 deleted the sensitive-data branch May 23, 2024 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enable Secret References to hide sensitive data
7 participants