add azure KMS as another option in refs

[anirban1c]

Fixes issue #
Add azure kms as another backend as described here
https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-keys#cryptographic-operations

this requires a key vault with a key and a service principal with - GET, ENCRYPT and DECRYPT added to it

Proposed Changes

add another module azkms
update cli with --vault option
add in azure pip dependencies

TODO: add a test module for azkms

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[uberspot]

This is a good candidate have in documentation instead of comments. I'd suggest adding this and any other needed docs for azkms to docs/secrets.md :) That way they are also searchable/indexed in the website https://kapitan.dev

[anirban1c]

ok

[googlebot]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[anirban1c]

@googlebot I signed it!

[uberspot]

No KMS Key algorithm specified* The msg here should be updated.

[uberspot]

In general looks good! 👍
Don't forget to add some docs under docs/secrets.md.

[uberspot]

This TODO should either be fixed before merging or be more detailed so that if needed someone else can also take over. :)

[uberspot]

In comments, we need an explanation of what the code below does or other edge cases.
This comment seems unclear.

[uberspot]

What is m and what is mm in this context?
One of them is algorithm members probably. But it helps readability a lot if we use longer-named variables here.

[anirban1c]

for _attribute_name, _ in EncryptionAlgorithm.members.items():

[uberspot]

----------------------------------------------------------------------
ImportError: Failed to import test module: tests.test_binary
Traceback (most recent call last):
  File "/opt/python/3.7.1/lib/python3.7/unittest/loader.py", line 434, in _find_test_path
    module = self._get_module_from_name(name)
  File "/opt/python/3.7.1/lib/python3.7/unittest/loader.py", line 375, in _get_module_from_name
    __import__(name)
  File "/home/travis/build/deepmind/kapitan/tests/test_binary.py", line 29, in <module>
    from kapitan.cli import main
  File "/home/travis/build/deepmind/kapitan/kapitan/cli.py", line 37, in <module>
    from kapitan.refs.secrets.azkms import AzureKMSSecret
  File "/home/travis/build/deepmind/kapitan/kapitan/refs/secrets/azkms.py", line 29, in <module>
    from azure.keyvault.keys import KeyClient
ModuleNotFoundError: No module named 'azure.keyvault.keys'

Travis is failing because No module named 'azure.keyvault.keys'
Is there a pip dependency missing from requirements.txt?
I might be wrong but https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python mentions using from azure.keyvault import KeyVaultClient instead?

[ramaro]

change to azkms

[ramaro]

why not turn this into a dict?

[ramaro]

use dict instead?

[pievalentin]

Would be interested in seeing this merged. Is forking and doing a PR good practice?

[uberspot]

If you maintain the other authors' commits I don't see why not. :)