BRE-992: Extend user provided secrets and certificate #422
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
Great job! No new security vulnerabilities introduced in this pull request |
- Support user provided certificates and keys. - Add tests - Update README - Set defaults Update README - Add required inputs - Update schema Update schema - Drop test file Lint - Drop testing annotation Move certificate password to certificate secret Switch from "autoGenerate" to "generate" - After sleeping on it, I like just "generate" - Updates README with more concise steps - Brings the .pfx passphrase into the .pfx secret itself.
mimartin12
force-pushed
the
BRE-992-user-provided-secrets
branch
from
a377d5b to
f921e81
Compare
mimartin12
changed the title
Update comment to clarify keys secret name generation
mimartin12
requested review from
a team and
gitclonebrian
and removed request for
a team
| openssl rand -hex 64 # Repeat three times | ||
| ``` | ||
|
|
||
| 1. Generate a `identity.pfx` certificate for the identity service. You can use OpenSSL or using a tool to generate a self-signed certificate. |
There was a problem hiding this comment.
Suggested change
| 1. Generate a `identity.pfx` certificate for the identity service. You can use OpenSSL or using a tool to generate a self-signed certificate. | |
| 1. Generate a `identity.pfx` certificate for the identity service. You can use OpenSSL or any other certificate tool to generate a self-signed certificate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
📔 Objective
This change allows users to set all secrets used in the Self-host deployment, including bringing their own
identity.pfxcertificate.This aims to provide more flexibility for installations that rely on secrets sourced from a secret management system as well as deployments managed by platforms such as Argo CD or Flux.
#401
Today, the chart does support some user provided secrets as shown here https://github.com/bitwarden/helm-charts/blob/main/charts/self-host/README.md#secrets. In this configuration the chart will generate additional secrets using Kubernetes jobs:
Using this new configuration, a user can opt out of the generated secrets and provide the name of their own secrets. This effectively skips all secret generation and uses the two
secretNamevalues.📸 Screenshots
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes