Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: handle _json_key .dockerconfigjson data #339

Closed
wants to merge 4 commits into from
Closed

fix: handle _json_key .dockerconfigjson data #339

wants to merge 4 commits into from

Conversation

csatib02
Copy link
Member

Overview

  • Made the Auth field of type interface { }, because this way the program can handle a _json_key if it is received under the auth key of a .dockerconfigjson.
  • I left the username, password splitting case as it was, and added a check for _json_key and another check, if a vault path is received upfront at the auth key.
  • If we have sub-keys under the auth field, we can assume that a _json_key has been passed.
  • if a vault path is passed upfront I used a regex to verify it's format.

Fixes #81

Notes for reviewers

  • I tested the solution with these 3 dockerconfigjson secrets.
# test.yaml
# For this to work, run: vault kv put secret/test/mysql MYSQL_PASSWORD=3xtr3ms3cr3t
# Decoded structure of data:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": "vault:secret/data/test/mysql#MYSQL_PASSWORD"
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: broken-thing
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6ImRtRjFiSFE2YzJWamNtVjBMMlJoZEdFdmRHVnpkQzl0ZVhOeGJDTk5XVk5SVEY5UVFWTlRWMDlTUkE9PSJ9fX0=
# test2.yaml
# Decoded structure of data:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": {
#         "type": "service_account",
#         "project_id": "fake-project"
#       }
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: docker-secret
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6eyJ0eXBlIjoic2VydmljZV9hY2NvdW50IiwicHJvamVjdF9pZCI6ImZha2UtcHJvamVjdCJ9fX19
# test3.yaml
# For this to work, run: vault kv put secret/test/aws AWS_SECRET_ACCESS_KEY=s3cr3t
# Decoded structure:
# {
#   "auths": {
#     "https://myrepov": {
#       "auth": "vault:secret/data/test/aws#AWS_SECRET_ACCESS_KEY"
#     }
#   }
# }

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: aws-key-secret
  annotations:
    vault.security.banzaicloud.io/vault-skip-verify: "true"
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL215cmVwb3YiOnsiYXV0aCI6ImRtRjFiSFE2YzJWamNtVjBMMlJoZEdFdmRHVnpkQzloZDNNalFWZFRYMU5GUTFKRlZGOUJRME5GVTFOZlMwVloifX19

@csatib02
fix(secret.go): fix issue on _json_key .dockerconfigjson type of data
c4f6bab 
Signed-off-by: Bence Csati <csatib02@gmail.com>
@csatib02 csatib02 requested a review from a team as a code owner February 13, 2024 11:03
@csatib02 csatib02 requested review from ramizpolic and removed request for a team February 13, 2024 11:03
@github-actions github-actions bot added the size/M Denotes a PR that changes 100-499 lines label Feb 13, 2024
@csatib02 csatib02 changed the title fix: fix issue handle _json_key .dockerconfigjson data fix: handle _json_key .dockerconfigjson data Feb 13, 2024
@csatib02
chore(secret.go): minor fixes
cc04e28 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02
chore(secret.go): minor fixes
692077b 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02 csatib02 self-assigned this Feb 23, 2024
@csatib02
chore
eaf333a 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02 csatib02 closed this by deleting the head repository Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramizpolic ramizpolic Awaiting requested review from ramizpolic ramizpolic is a code owner automatically assigned from bank-vaults/maintainers

Assignees

@csatib02 csatib02

Labels
size/M Denotes a PR that changes 100-499 lines
Projects
None yet
Milestone
No milestone
1 participant
@csatib02