Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-pycloudlib): add AWS secret manager support as a secret layer for holding CN configuration #3026

Closed
moabu opened this issue Nov 18, 2022 · 5 comments · Fixed by #3112
Closed

feat(jans-pycloudlib): add AWS secret manager support as a secret layer for holding CN configuration #3026

moabu opened this issue Nov 18, 2022 · 5 comments · Fixed by #3112
Assignees
@iromli @moabu
Labels
comp-jans-pycloudlib enhancement kind-feature Issue or PR is a new feature request

Comments

@moabu
Copy link
Member

moabu commented Nov 18, 2022
edited by iromli
Loading

Similar to the google secret handler, an AWS secret handler should be added to support multi regional setups with AWS secret manager has the holder of the secret and configuration output.

Things to consider:
@moabu moabu self-assigned this Nov 18, 2022
@mo-auto mo-auto added comp-jans-pycloudlib kind-feature Issue or PR is a new feature request labels Nov 18, 2022
@moabu moabu added this to the 1.0.5 milestone Nov 18, 2022
@iromli
Copy link
Contributor

iromli commented Nov 18, 2022
edited
Loading

As we have configs and secrets layers, we can utilize different type of AWS secretsmanager value.

  1. For configs (non-sensitive configuration), we can use SecretString type, for example:

    » awslocal secretsmanager create-secret --name hostname --secret-string demoexample.jans.io

» awslocal secretsmanager get-secret-value --secret-id hostname
{
    "ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:hostname-PUrbYB",
    "Name": "hostname",
    "VersionId": "04084d42-730b-4412-b102-8fe577fd169f",
    "SecretString": "demoexample.jans.io",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1668801471.205548
}

  2. For secrets, we can use SecretBinary type, for example:

    » awslocal secretsmanager create-secret --name ssl_cert --secret-binary this-is-supposed-to-be-a-secret

» awslocal secretsmanager get-secret-value --secret-id ssl_cert
{
    "ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:ssl_cert-gxSsyG",
    "Name": "ssl_cert",
    "VersionId": "398d9038-ad05-498a-9164-4e7142faad4b",
    "SecretBinary": "dGhpcy1pcy1zdXBwb3NlZC10by1iZS1hLXNlY3JldA==",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1668801851.753725
}

    Which can be decoded (if necessary), as seen below:

    » awslocal secretsmanager get-secret-value --secret-id ssl_cert | yq '.SecretBinary' | base64 -d
this-is-supposed-to-be-a-secret

@iromli iromli changed the title feat(jans-pycloudlib): add AWS secert manager support as a secret layer for holding CN configuration feat(jans-pycloudlib): add AWS secret manager support as a secret layer for holding CN configuration Nov 18, 2022
@moabu
Copy link
Member Author

moabu commented Nov 19, 2022

Agreed. However, I think we need to unify the method . With google secrets we are also encrypting and compressing the data that is pushed to the secret manager. I think we need to either remove that or also enforce the same with AWS

@iromli
Copy link
Contributor

iromli commented Nov 20, 2022

Lets keep the Google secrets as is to avoid regression. For AWS secrets, we may add compression before saving it as SecretBinary type.

@iromli
Copy link
Contributor

iromli commented Nov 20, 2022
edited
Loading

Though in my opinion, adding compression likely will make it harder to check the value from official AWS CLI/client apps as those need to decode and/or decompress the value first. Not as straight as we used to have when dealing with native k8s or Vault secrets.

@moabu
Copy link
Member Author

moabu commented Nov 20, 2022

Right , though the compression came out of the need to lower the size of the payload since upstream clouds have limits on the size of each secret. Since we have full files in our secrets that becomes an issue so we have to compress to make sure we keep the payload and secret low in size and add a how to for dealing with checking the secrets data.

@iromli iromli self-assigned this Nov 25, 2022
iromli added a commit that referenced this issue Nov 29, 2022
@iromli
feat(jans-pycloudlib): add AWS Secrets Manager support for configurat…
9bead69 
…ion layers

Ref: #3026
@iromli iromli mentioned this issue Nov 29, 2022
Merged
5 tasks
moabu added a commit that referenced this issue Nov 30, 2022
@iromli @mo-auto @moabu
feat(jans-pycloudlib): add AWS Secrets Manager support for configurat…
0522e61 
…ion layers (#3112)

* feat(jans-pycloudlib): add AWS Secrets Manager support for configuration layers

Ref: #3026

* chore(jans-pycloudlib): updated build (#3113)

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>

* feat: add aws secret setup to helm chart

* ci: add update of pycloud exception

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
Co-authored-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
Co-authored-by: moabu <47318409+moabu@users.noreply.github.com>
moabu added a commit to GluuFederation/flex that referenced this issue Dec 1, 2022
@moabu
feat: add aws secret manager JanssenProject/jans#3026
48418cd
This was referenced Dec 8, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iromli iromli

@moabu moabu

Labels
comp-jans-pycloudlib enhancement kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(jans-pycloudlib): add AWS Secrets Manager support for configuration layers JanssenProject/jans
3 participants
@iromli @moabu @mo-auto