-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support generic secret in docker auth #494
base: main
Are you sure you want to change the base?
Conversation
pkg/webhook/secret.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach is rather forgiving, as it treats all cases where the authentication is not via username and password, as _json_key
right away, without verification. This is quite error-prone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I probably should have avoided using the specific _json_key
as the example. The implementation should actually cover any case. Let me see if i can explain better given the following example:
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "vault:secret/data/dockerrepo#ANY_VALUE"
}
}
}
(showing the auth value base64 decoded for clarity)
previously, the webhook would make no attempt to unwrap this auth
value, because it doesn't match the user:pass
format it expects, i.e., vault:secret/data/creds#USER:vault:secret/data/creds#PW
. instead, it would fail with the splitting auth credentials failed
error. there are certainly issues with the previous implementation. one being that it is restrictive, and another being that it doesn't support transit values, i.e., vault:v1:aGkK:vault:v1:YnllCg==
could be a valid username:password
but will fail with the same splitting auth credentials failed
error.
my goal with this change is to leave the previous functionality (including assumptions) in tact, but opening up the possibility for the user to put whatever they need to inside of the auth value. instead of failing with the splitting auth credentials failed
error, it will now make an attempt to unwrap the value (we've already verified it starts with the vault prefix at this point) and, if successful, swap it in. this gives the user full control of the auth value. it could be a _json_key
or it could be user:pass
or anything else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your observation is astute. Indeed, the main issue here is that using len(split) for control flow can be quite misleading for someone reading the code. It's not immediately clear how the length of the split array relates to the logic being implemented, which can make the code harder to understand and maintain. A more explicit and self-explanatory approach to control flow would likely improve code readability and reduce potential confusion for other developers working with this code.
The thing I wrote about verification, is for the same reason. If someone sees a verification function being called e.g.:
json.Valid(auth) // verifying JSON format
isValidPrefix(string(auth)) // verifying whether a string is a valid Vault path that can be consumed by the injector.
Immediately knows what is happening, and what values can be used.
Hey @quixoten, In the meanwhile I left a few comments. |
52dd1b0
to
c0338a9
Compare
currently, we only support unwrapping the auth key if its value supports a specific format. this change will fallback to generic unwrapping of the auth value when it doesn't match the user:pass format. Signed-off-by: Devin Christensen <[email protected]>
c0338a9
to
68004ba
Compare
Signed-off-by: Devin Christensen <[email protected]>
b00e214
to
4ce88b6
Compare
Overview
currently, the webhook only supports unwrapping the value of the auth key if it's in a specific
user:pass
format. this limitation prevents the webhook from working correctly for other valid formats of the auth value, e.g.,_json_key
.