grafana

Commit Graph

Author	SHA1	Message	Date
Dana Axinte	29a639a6dd	SecretsService: Filter secure values by status phase (#101780 ) * filter by status phase field * comment and error message * missed error to handle * fix test after merge	3 months ago
Michael Mandrus	ba207911b9	SecretsManager: Remove dependencies on legacy encryption (#101846 ) * commit wip * getting there * rename some stuff * rename * clean up tests some more * fix the rest of the registry tests * fix store tests * lint * more dependency cleanup * forgot a file * fix wire * add some tests * remove old checks * remove unused dependency * fix test * fix test * even more test fixes * fix default encryption init * lint * remove useless abstraction * fix typo	3 months ago
Michael Mandrus	36fc6fb91b	[Chore] Secrets: Capture new settings in the global config struct (#101743 ) * capture config options in the config struct * one liner * fix tests * fix more tests	3 months ago
Michael Mandrus	3fb1d2de04	Secrets: Mark SecureValues `Succeeded` manually while we await an outbox implementation (#101737 ) mark objects succeeded in the storage layer as a temp workaround	3 months ago
Dana Axinte	3723e6ca3e	SecretsService: Unify keeper type definitions (#101512 ) Unify keeper type definitions	3 months ago
Dana Axinte	553b8d3aa8	SecretsService: Updating the keeper not allowed for securevalues (#101526 ) sv validation at updating keeper	3 months ago
Matheus Macabu	38951d4304	SecureValues: add temporary allow list for decrypters (#101272 )	3 months ago
Dana Axinte	9db1e83f8b	SecretsService: use default sql keeper and connect flow (#100201 ) * default sql store and decrypt * remove validation on keeper existance * further implementation of generic keeper store and delete * small comment changes * store by ref not implemented * return quicker * use encryption config from secure manager * update in keeper * some structure changes * fix test * fix manager test * add checking keeper default in loading keeper config * remove keeper sql example * update tests and error messages * add tests with default sql keeper * undo a sv file change * secret management tests * decrypt tests * updates after review: default in test and decrypt method * readd check that keeper exists * default tests with sql keeper * disable usage stats in enc manager * comment register usage metrics * fix tests secret mgmt * no need to list again in tests	3 months ago
Dana Axinte	8971259b4b	Chore: Rename secure value and keeper metadata stores (#101140 ) * rename sv and keeper metadata * missed one renaming	3 months ago
lean.dev	c26cdaa92d	GrafanaSecret: Add namespace to encrypted value db table (#100997 )	3 months ago
Matheus Macabu	edfc81af80	Disable authz func in dev mode	3 months ago
Matheus Macabu	d6ca7a2c86	Secrets: add authorizer for CRUDL kind operations (#100498 ) * Secrets: add authorizer for CRUDL kind operations * more unit tests * fix integration tests and add helper to create users with arbitrary permissions * split actions by kind * fix integration tests resource permissions passing * Add integration tests for lack permissions keepers * Add integration tests for lack permissions securevalues * Fine tune permissions for integration tests * Clarify access roles naming * Linter: preallocate permissions in test helper * Add integration tests for scoped permissions on resources * Merge list+describe actions into read for both resources * Update authorizer to use generic MT one with action mapper * Rename secrets-manager in permissions to just secret * Keeper: fix Update sometimes failing because of missing condition clause on name+namespace * Also grant reading permission to writers as best practice * Add note on resource authorizer not being folder dependent	3 months ago
Matheus Macabu	e48e092bc1	SecureValues: add status field (#100802 ) * SecureValues: add field at the top level * Storage: add migration and insert for new 'status' fields on SecureValue * API: mutate SecureValue's 'status' when creating or updating it	3 months ago
Matheus Macabu	0e7e0c6fd5	SecureValues: make decrypters an optional field (#100731 ) SecureValues: make decrypters an optional field	3 months ago
Dana Axinte	6baa0852c1	SecretsService: Keeper Update fix and add encryption config (#100541 ) fix update and move config	3 months ago
Matheus Macabu	efb4882f41	SecureValues: rename audiences to decrypters to disambiguate from IAM (#100484 )	3 months ago
Matheus Macabu	6d9db9c83d	fix: breaking test when merging	4 months ago
Matheus Macabu	20e108337b	Chore: remove NameNamespace throughout codebase (#100400 )	4 months ago
Matheus Macabu	e986a63228	Secrets: Add (function) Decryption client + Proto/gRPC boilerplate (#100263 ) * Secret: add protobuf definitions and code generation * Secret: add decrypt client to contracts * Registry: add decrypt client func implementation and wire it * Chore: remove xkube from external API	4 months ago
Dana Axinte	bbdee3ad07	SecretsService: keeper Update with sql keeper implementation (#100289 ) keeper Update with sql keeper implementation	4 months ago
Dana Axinte	d0aa717c25	SecretsService: Add decrypt subresource for testing (#99901 ) * add simple decrypt * fix lint * rename to rest and add separate store * test update after adding suresource * fake decrypt * change path * remove config	4 months ago
Dana Axinte	e926493c6c	SecretsService/Chore: restructure secret storage packages (#100053 ) restructure storage	4 months ago
Michael Mandrus	c1de708f60	Secrets: Implement backend stubs for frontend development (#99618 ) * add property to ini files * parse new config * implement fake storages * need to use correct error type or else bad things happen * remove obnoxious printlns * cleanup * fix update * make async * fix sample ini	4 months ago
Dana Axinte	e05dc9c95b	SecretsService: SQLKeeper implementation (#99656 ) * clean implementation * add namespace to interface methods * sqlkeeper tests * add tracer * add fakes, rename sqlkeeper files	4 months ago
lean.dev	6e852fa558	Secrets: Add apiserver support (#98670 )	4 months ago
Dana Axinte	7f0d091a2e	SecretsService: OSS secret keeper service (#99384 ) * oss sql skeleton * keeper types * small change * split ValidateSecureValue * use manager in keeper service * move types and use provider in oss * remove comment * remove duplicated file * updates on syntax and conventions * credentials passing * move manager and secretkeeper injection * add simple tests * start * use cfg keeper config and map provider * remove test * adding namespace to keeper methods * test and get keepers	4 months ago
Dana Axinte	da46d93f45	SecretsService: use common KeeperConfig interface (#99260 ) * keeper config interface * add type method	4 months ago
Dana Axinte	aeaa0b697b	SecretsService: skip rencrypt tests (#99252 ) * skip rencrypt test * more tests to skip	4 months ago
Dana Axinte	ebadc43bfd	SecretsService: Encrypted value storage (#98978 ) * start * encrypted value store * undo changes * undo changes * undo changes * missing error check * updates after comments * err check * split ValidateSecureValue	4 months ago
Matheus Macabu	0099c26a29	SecureValues: store `ref` if exists and don't allow switching between `ref`/`value` on updates (#98851 ) * SecureValues: persist if set when creating * SecureValues: validate cannot switch from ref to value and vice-versa * Tests: cover both value+ref being set on update	4 months ago
Matheus Macabu	27dd504b0e	Tests: add multiple namespace integration tests (#98823 ) * Tests: add multiple namespace integration tests * Tests: move clean up to the end of the test case	4 months ago
Matheus Macabu	de369ef7cd	Keepers: dont allow using `secureValueName` in SQL keepers (#98814 ) * Keepers: dont allow using `secureValueName` in SQL keepers This simplifies the setup for SQL keeper credentials and avoids us having to walk dependencies between SecureValues. * SecureValues: add helper method for determining if SQL keeper is defined	4 months ago
Matheus Macabu	3557a77d53	Keepers: dont allow secureValueNames to reference 3rdparty keepers (#98803 ) Instead, secureValueNames in a Keeper can ONLY reference SQL-type keepers. This is to simplify the dependency chain and possibilities, where before we'd have to walk the possible secureValueNames chain, we now limit ourselves to only have to do at most 1 look-up in another keeper, which is guaranteed to be a SQL keeper.	4 months ago
Michael Mandrus	b608f88c6b	Finish setup of the encryption manager in the secrets package (#98070 ) * move store to the central storage location and clean up further * make the cache multitenant * fix some syntax issues * remove duplicate metrics * label col in migrator * AI-generated unit tests :D * more unit tests * fix the ordering of args * missed some * missed another: * should be the last of it * some progress on getting manager tests passing * more progress * remove unneeded tests * fix icky bug * everything passing * make linter happy * add quick comment * rename table * bulk update during key reencryption * use bulk updates for reencryption - wip * remove circular dependency * add TODO * undo rename	4 months ago
Matheus Macabu	ffd260b31d	Chore: refactor integration tests with helpers and use only generated specs (#98792 ) * Chore: refactor integration tests with helpers and use only generated specs * Chore: remove non-generated variants from testdata spec * Chore: fix flaky test slice compare	5 months ago
Matheus Macabu	438e89d8a8	Keepers: Validate referenced SecureValues exist (#98731 ) Before creating or updating a Keeper, we now check whether any referenced SecureValues (through credentials' secureValueName) exist. If it doesn't, we throw an error type, and then map that into the expected Kubernetes error. e.g. the API returns: ``` The Keeper "azure-xyz" is invalid: secureValueName: Not found: "CLIENT_SECRET_XYZ" ```	5 months ago
Matheus Macabu	2fab8a5c13	Securevalues: add stricter audiences validation (#98439 ) rest/securevalues: add stricter audiences validation - group-names must be unique in the list, so having `foo/abc` or `foo/` twice is reported; - if the audiences have a `foo/`, any other `foo/{name}` is redundant and reported.	5 months ago
Matheus Macabu	5362f12797	Secrets: change Keeper schema to treat updates as PUT operation (#98325 ) * storage/secret: comment for annotations/labels being actually a map * storage/secret: List Keepers DB query use typed "cond" for where clause * keepers: replace whole spec when updating to allow changing providers * reststorage/securevalues: rename vars and import package	5 months ago
Matheus Macabu	30d3497f29	Secrets: introduce contracts and xkube packages (#98240 ) * apis/secret: add contracts package for sv + keeper * apis/secret: add xkube package for kubernetes-related data manipulations * chore: replace usage for new packages * chore: delete old packages unused * apis/tests: move discovery client test to its own file	5 months ago
Matheus Macabu	405eb7b10f	Secrets: Add basic validation and mutation for kinds (#98204 ) * apis/secret: add validation for securevalues * apis/secret: add validation for keepers * chore: fix linter issues * apis/secret: add generic validation for name+namespace * apis/secret: generate name in callback in case it is empty * tests/apis: add happy path integration test for generate name * tests/apis: add invalid resource (validation failure) integration test * chore: fix linter issues part 2	5 months ago
Dana Axinte	2eccf6d8b9	SecretsService: add CRUDL storage for keeper (#97976 ) * start on keeper * clean * cleanup * uncomment * lint * if err issue * all methods, missing type payload * have type and config * tests * fix test and lint * keepers test * fix error message	5 months ago
Matheus Macabu	264a66733a	Secrets: use `ExposedSecureValue` wrapper type on SecureValues spec (#98090 ) * Secrets: use `ExposedSecureValue` wrapper type on SecureValues spec * panic if exposing value more than once	5 months ago
Matheus Macabu	77d4511f58	storage/secret: add namespace newtypes for improved type safety (#98079 ) * storage/secret: add namespace newtypes for improved type safety * storage/secret: rename to namenamespace	5 months ago
Michael Mandrus	2426093b43	secrets: start wiring in env encryption (#97890 ) * start wiring in env encryption * comments and tests for secure value domain obj * also implement formatter and gostring on secure value * more cleanup * comment out tests since they won't work right now --------- Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>	5 months ago
Matheus Macabu	21f60f2788	Secrets: add CRUDL storage for secure value metadata (#97949 ) * storage/secret: make constant for secure value table name * storage/secret: add methods to map secure value row to k8s and vice-versa * storage/secret: add create and read methods fo secure value * apis/secret: implement create and read methods * apis/secret: add example of secure value yaml * apis/secret: add basic integration tests * storage/secret: change namespace to nvarchar * codeowners: add OPEX to codeowner of int tests * storage/secret: change name to nvarchar * pkg/tests/api: add more cases for integration test * securevalue: implement Update * securevalue: implement Delete * securevalue: implement List * pkg/registry/apis/secret: add basic Validate func that does nothing * no need for transactions atm	5 months ago
PoorlyDefinedBehaviour	a5f29f10a0	trigger github update	6 months ago
Matheus Macabu	59bc105ec0	secrets/reststorage: pass secure value db storage to api group	6 months ago
dana-axinte	7ca769adc9	connected feature flag	6 months ago
dana-axinte	abd195d7da	keeper rest storage	6 months ago
dana-axinte	b7f7798503	adding rest storage to secret	6 months ago

1 2

51 Commits (278cfd1631b822d609d73cea992f86a0832455f2)