feat: add nversion support to azurekeyvault provider certificates and keys #1955
Conversation
Codecov ReportAttention: Patch coverage is
|
duffney
force-pushed
the
issue-1751/nversion
branch
from
ccf970c to
7fbc3e2
Compare
| @@ -37,4 +37,6 @@ type KeyVaultValue struct { | |||
| Name string `json:"name" yaml:"name"` | |||
| // the version of the Azure Key Vault certificate/key | |||
| Version string `json:"version" yaml:"version"` | |||
| // the number of versions to keep in the cache | |||
| VersionHistoryLimit int `json:"versionHistoryLimit" yaml:"versionHistoryLimit"` | |||
There was a problem hiding this comment.
@akashsinghal @binbin-li what are your thoughts on adding a VersionHistory field here with the sortVersionHistory and GetSortedVersions as methods?
There was a problem hiding this comment.
if those 2 methods takes KeyVaultValue as receiver or operates on it, I feel they can be added here.
There was a problem hiding this comment.
+1 to binbin's comment
| keyVaultCert.VersionHistoryLimit = versionHistoryLimitDefault | ||
| } | ||
|
|
||
| var versionHistory []struct { |
There was a problem hiding this comment.
nit: we can define the struct on top of the file as I saw it's defined multiple times in the file.
There was a problem hiding this comment.
Changes made: 9f42567
| sortedVersionHistory := GetSortedVersions(versionHistory) | ||
|
|
||
| // if versionHistoryLimit is greater than the number of versions, set it to the number of versions | ||
| if keyVaultKey.VersionHistoryLimit > len(sortedVersionHistory) { |
There was a problem hiding this comment.
we can combine both checking on versionHistoryLimit in the same place. keyVaultKey.VersionHistoryLimit == 0
There was a problem hiding this comment.
Changes made: a3828c9
I moved the logic together and added another if to check the length of the sorted versions to output a info message and continue when no versions were returned from the pager.
// if no versions found, log and continue
if len(sortedVersionHistory) == 0 {
logger.GetLogger(ctx, logOpt).Infof("no versions found for key %s", keyVaultKey.Name)
continue
}
// if versionHistoryLimit isn't set default to 1 to avoid out of bounds error
if keyVaultKey.VersionHistoryLimit == 0 {
keyVaultKey.VersionHistoryLimit = versionHistoryLimitDefault
}
// if versionHistoryLimit is greater than the number of versions, set it to the number of versions
if keyVaultKey.VersionHistoryLimit > len(sortedVersionHistory) {
keyVaultKey.VersionHistoryLimit = len(sortedVersionHistory)
}I know, it's a lot of if statements... I'm working on refactoring it with the backwards compatibility suggestions from @susanshi.
| @@ -37,4 +37,6 @@ type KeyVaultValue struct { | |||
| Name string `json:"name" yaml:"name"` | |||
| // the version of the Azure Key Vault certificate/key | |||
| Version string `json:"version" yaml:"version"` | |||
| // the number of versions to keep in the cache | |||
| VersionHistoryLimit int `json:"versionHistoryLimit" yaml:"versionHistoryLimit"` | |||
There was a problem hiding this comment.
if those 2 methods takes KeyVaultValue as receiver or operates on it, I feel they can be added here.
| @@ -37,4 +37,6 @@ type KeyVaultValue struct { | |||
| Name string `json:"name" yaml:"name"` | |||
| // the version of the Azure Key Vault certificate/key | |||
| Version string `json:"version" yaml:"version"` | |||
| // the number of versions to keep in the cache | |||
| VersionHistoryLimit int `json:"versionHistoryLimit" yaml:"versionHistoryLimit"` | |||
There was a problem hiding this comment.
wonder if the VersionHistoryLimit should be set per key or per provider
There was a problem hiding this comment.
Having it at the key/cert level provides more granularity. And it's likely each key/cert will have different requirements for the number of versions to be kept. Imo, having it at this level gives a better user experience.
| } | ||
|
|
||
| // GetSortedVersions returns the sorted versions of the object | ||
| func GetSortedVersions(versionHistory []struct { |
There was a problem hiding this comment.
nit: func GetSortedVersions(sortedVersionHistory
There was a problem hiding this comment.
duffney
requested review from
akashsinghal,
jimmyraywv,
luisdlp,
susanshi and
toddysm
as code owners
| } | ||
|
|
||
| // GetSortedVersions returns the sorted versions of the object | ||
| func GetSortedVersions(versionHistory []struct { |
There was a problem hiding this comment.
nit: The function name is a bit misleading, the function doesn't do any sorting. When it's called, it's passed with the sorted versions struct. I suggest you change the name to GetVersions.
There was a problem hiding this comment.
| // GetKey retrieves a key from the keyvault | ||
| func (c *keyKVClientImpl) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) { | ||
| return c.Client.GetKey(ctx, keyName, keyVersion, nil) | ||
| } | ||
|
|
||
| func (c *keyKVClientImpl) NewListKeyVersionsPager(name string, options *azkeys.ListKeyVersionsOptions) *runtime.Pager[azkeys.ListKeyVersionsResponse] { |
There was a problem hiding this comment.
To keep it consistent with the signature of NewListCertificateVersionsPager, rename the first parameter to keyName.
There was a problem hiding this comment.
| mapKey := keymanagementprovider.KMPMapKey{Name: keyVaultCert.Name, Version: keyVaultCert.Version, Enabled: isEnabled} | ||
| keymanagementprovider.DeleteCertificateFromMap(s.resource, mapKey) | ||
| continue | ||
| // if versionHistoryLimit is not set, set it to default value 1 |
There was a problem hiding this comment.
nit: It'll be neater if you move this logic to line 233 so that setting the limit is done in one place:
// if versionHistoryLimit is not set, set it to default value 1
if keyVaultCert.VersionHistoryLimit == 0 {
keyVaultCert.VersionHistoryLimit = versionHistoryLimitDefault
}
// if versionHistoryLimit is greater than the number of versions, set it to the number of versions
if keyVaultCert.VersionHistoryLimit > len(sortedVersionHistory) {
keyVaultCert.VersionHistoryLimit = len(sortedVersionHistory)
}
| keyResponse, err := s.keyKVClient.GetKey(ctx, keyVaultKey.Name, keyVaultKey.Version) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("failed to get key objectName:%s, objectVersion:%s, error: %w", keyVaultKey.Name, keyVaultKey.Version, err) | ||
| // if versionHistoryLimit is not set, set it to default value 1 |
| versionHistory = append(versionHistory, struct { | ||
| Version string | ||
| Created time.Time | ||
| }{Version: cert.ID.Version(), Created: *cert.Attributes.Created}) |
There was a problem hiding this comment.
nit: nil check for cert ?
| versionHistory = append(versionHistory, struct { | ||
| Version string | ||
| Created time.Time | ||
| }{Version: key.KID.Version(), Created: *key.Attributes.Created}) |
There was a problem hiding this comment.
nit: nil check for key?
| return nil, nil, fmt.Errorf("failed to get key objectName:%s, objectVersion:%s, error: %w", keyVaultKey.Name, version, err) | ||
| } | ||
| keyBundle := keyResponse.KeyBundle | ||
| isEnabled := *keyBundle.Attributes.Enabled |
There was a problem hiding this comment.
nit: is keyBundle a pointer? if so we might consider a nil check
There was a problem hiding this comment.
keyBundle isn't a pointer but the Attributes is. I can add a nil check for that field. Should I also add a nil check for the SecretBundle field in the GetCertificates method?
There was a problem hiding this comment.
Added changes for the SecretBundle as well. :) fc8a17c
| }, | ||
| Fetcher: func(_ context.Context, _ *azkeys.ListKeyVersionsResponse) (azkeys.ListKeyVersionsResponse, error) { | ||
| var resp azkeys.ListKeyVersionsResponse | ||
| var keyID azkeys.ID = "https://testkv.vault.azure.net/keys/key1/c1f03df1113d460491d970737dfdc35d" |
There was a problem hiding this comment.
General comment not specific to this PR: I was reading on some security best practices and it's recommended not to use valid resource IDs or http urls that you don't own unless it's absolutely necessary to testing the functionality
There was a problem hiding this comment.
Good to know. Thank you for sharing your learnings. :)
| }, | ||
| Fetcher: func(_ context.Context, _ *azcertificates.ListCertificateVersionsResponse) (azcertificates.ListCertificateVersionsResponse, error) { | ||
| var resp azcertificates.ListCertificateVersionsResponse | ||
| var certID azcertificates.ID = "https://testkv.vault.azure.net/certificates/cert1/c1f03df1113d460491d970737dfdc35d" |
| secretBundle := secretResponse.SecretBundle | ||
| isEnabled := *secretBundle.Attributes.Enabled | ||
| // sort the version history by created time | ||
| sortVersionHistory(versionHistory) |
There was a problem hiding this comment.
can you leave a comment in code explaining why a separate method is needed called GetSortedVersions?
| @@ -37,4 +37,6 @@ type KeyVaultValue struct { | |||
| Name string `json:"name" yaml:"name"` | |||
| // the version of the Azure Key Vault certificate/key | |||
| Version string `json:"version" yaml:"version"` | |||
| // the number of versions to keep in the cache | |||
| VersionHistoryLimit int `json:"versionHistoryLimit" yaml:"versionHistoryLimit"` | |||
There was a problem hiding this comment.
+1 to binbin's comment
| @@ -82,12 +85,19 @@ type akvKMProvider struct { | |||
| certificateKVClient certificateKVClient | |||
| } | |||
|
|
|||
| type VersionInfo struct { | |||
There was a problem hiding this comment.
quality: request doc for exported struct
| // GetKey retrieves a key from the keyvault | ||
| func (c *keyKVClientImpl) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) { | ||
| return c.Client.GetKey(ctx, keyName, keyVersion, nil) | ||
| } | ||
|
|
||
| func (c *keyKVClientImpl) NewListKeyVersionsPager(keyName string, options *azkeys.ListKeyVersionsOptions) *runtime.Pager[azkeys.ListKeyVersionsResponse] { |
There was a problem hiding this comment.
quality: request doc for exported method
| return nil, nil, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err) | ||
| versionHistory := []VersionInfo{} | ||
|
|
||
| certVersionPager := s.certificateKVClient.NewListCertificateVersionsPager(keyVaultCert.Name, nil) |
There was a problem hiding this comment.
Question: is the returned page already sorted?
The question behind is that what if we have thousands of versions and we only need the recent 2? It is better to make it O(1) instead of O(n).
There was a problem hiding this comment.
Unfortunately, the versions are not already sorted. At least not by created date. I reached out to the azure-sdk-go team and they informed me that the sorted is done by the service itself and currently there isn't any options that can be passed in to change out the pager returns them.
There was a problem hiding this comment.
@shizhMSFT also pointed out the latest version is v1.16. https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime. Do we know if the latest API /SDK have improved behaviors?
There was a problem hiding this comment.
After looking into the latest version of the runtime package I didn't find any options that can be passed to sort the results of the pager. But there were some comments that indicated that it might be available in future releases. There are other azure-sdk-for-go packages that are deprecated and should be updated as well. Here's a link to an issue tracking that work.
| for _, version := range sortedVersionHistory[len(sortedVersionHistory)-keyVaultCert.VersionHistoryLimit:] { | ||
| secretReponse, err := s.secretKVClient.GetSecret(ctx, keyVaultCert.Name, version) | ||
| if err != nil { | ||
| if isSecretDisabledError(err) { |
There was a problem hiding this comment.
The info of the Enabled attribute is already returned by NewListCertificateVersionsPager and we can fail fast earlier. Meanwhile, when we say fetch the first n certs, do we mean n certs or n enabled certs?
There was a problem hiding this comment.
Excellent call out @shizhMSFT! The NewListCertificateVersionPager does have the Enabled attribute, which can be used instead of the isSecretDisabledError func. However, I don't think we can fail much sooner. n certs means enabled and disabled certs. Meaning we won't know which disabled certs to write to the status until after the pager results are returned and sorted.
There was a problem hiding this comment.
I updated the fetchVersionHistory to use the enabled field from the pager to fail faster. However, the single fetch logic remains the same since it doesn't have access to the pager attributes.
| ProviderName string = "azurekeyvault" | ||
| PKCS12ContentType string = "application/x-pkcs12" | ||
| PEMContentType string = "application/x-pem-file" | ||
| versionHistoryLimitDefault int = 1 |
There was a problem hiding this comment.
just a reminder to update CRD doc and sample to capture the default value
| @@ -82,12 +85,19 @@ type akvKMProvider struct { | |||
| certificateKVClient certificateKVClient | |||
| } | |||
|
|
|||
| type VersionInfo struct { | |||
There was a problem hiding this comment.
suggestion to move VersionInfo to types.go
There was a problem hiding this comment.
I've moved this into types.go with the refactor changes and also added methods for sorting. Those changes aren't reflected in the PR just yet waiting for approval from the team on the existing changes and then we can discuss whether or not it makes sense to include the refactor in this PR or in a separate one.
| // GetKey retrieves a key from the keyvault | ||
| func (c *keyKVClientImpl) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) { | ||
| return c.Client.GetKey(ctx, keyName, keyVersion, nil) | ||
| } | ||
|
|
||
| func (c *keyKVClientImpl) NewListKeyVersionsPager(keyName string, options *azkeys.ListKeyVersionsOptions) *runtime.Pager[azkeys.ListKeyVersionsResponse] { |
There was a problem hiding this comment.
add description for public methods
| versionHistory := []VersionInfo{} | ||
|
|
||
| certVersionPager := s.certificateKVClient.NewListCertificateVersionsPager(keyVaultCert.Name, nil) | ||
| for certVersionPager.More() { |
There was a problem hiding this comment.
Suggestion to pass in empty &azcertificates.ListCertificateVersionsOptions{} , so the reader know that this can be configured
| versionHistory := []VersionInfo{} | ||
|
|
||
| certVersionPager := s.certificateKVClient.NewListCertificateVersionsPager(keyVaultCert.Name, nil) | ||
| for certVersionPager.More() { |
There was a problem hiding this comment.
the logic to fetch version seem contained, suggestion to extract into a "getVersion" method so its more unit testable.
for certVersionPager.More() {
}
There was a problem hiding this comment.
Agreed. The GetCertificate and GetKeys methods are getting a bit unwieldy and the tests are over a hundred lines. I'll work on refactoring the logic and add additional methods to make it easier to understand and test.
| return nil, nil, fmt.Errorf("failed to get key from key bundle:%w", err) | ||
| // if versionHistoryLimit isn't set default to 1 to avoid out of bounds error | ||
| if keyVaultKey.VersionHistoryLimit == 0 { | ||
| keyVaultKey.VersionHistoryLimit = versionHistoryLimitDefault |
There was a problem hiding this comment.
suggestion to add a log that we have updated the VersionHistoryLimit
There was a problem hiding this comment.
Instead of using this if for setting the default it's now used for triggering the backwards compatibility logic to fetch a single version.
|
|
||
| // Pager results are not sorted by created time, so we sort them here | ||
| // in ascending order (oldest to newest) | ||
| sortVersionHistory(versionHistory) |
There was a problem hiding this comment.
should we combine sortVersionHistory and GetVersions
There was a problem hiding this comment.
I think so, I'd like to move the type into types.go and then make the sorting a method of that new type.
| } | ||
|
|
||
| // get the latest version of the certificate up to the limit | ||
| for _, version := range sortedVersionHistory[len(sortedVersionHistory)-keyVaultKey.VersionHistoryLimit:] { |
There was a problem hiding this comment.
how do we handle the scenario where keyVaultKey.VersionHistoryLimit and keyVaultKey.Version are both provided in the CR? especially if Version points to a older version that is not within the limit of the VersionHistory range
There was a problem hiding this comment.
how do we handle the scenario where keyVaultKey.VersionHistoryLimit and keyVaultKey.Version are both provided in the CR? especially if Version points to a older version that is not within the limit of the VersionHistory range
It depends. Do we want to support the following options?
Store multiple specific versions:
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
versions:
- "1"
- "2"
- "5"Store specified version and multiple previous versions
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
versions:
- "10"
versionHistoryLimit: 2Store latest version and multiple previous versions
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
versionHistoryLimit: 2Or a single specified version with the version field or latest plus nversions with the limit specified.
Store a single version:
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
versions: "1"Store latest and nversions:
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
versionHistoryLimit: 3There was a problem hiding this comment.
We want to support both:
- when no version is specified, get 2 version including the latest
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
versionHistoryLimit: 2
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
version: "10" # single version that can be manually specified as the "tail" and goback n
versionHistoryLimit: 2
There was a problem hiding this comment.
In this example, if Dec9 is the specified version , with a limit of 2, we will fetch Dec8 and Dec9
Dec10
Dec9
Dec8
|
|
||
| // get the latest version of the certificate up to the limit | ||
| for _, version := range sortedVersionHistory[len(sortedVersionHistory)-keyVaultCert.VersionHistoryLimit:] { | ||
| secretReponse, err := s.secretKVClient.GetSecret(ctx, keyVaultCert.Name, version) |
There was a problem hiding this comment.
To maintain backward cap, if CR only specified a single version, we could do a direct Get avoiding thte List permission required for the pager.
| }{ | ||
| { | ||
| name: "Key enabled with multiple versions", | ||
| versionHistoryLimit: 3, |
There was a problem hiding this comment.
Given the method now have additional logic around pager, sorting etc, the test should validate the length of the response and which versions are returned. Suggestion to update the current validation. If there is a error thrown, we should also validate if its the expected error msg.
_, _, err := provider.GetKeys(context.Background())
There was a problem hiding this comment.
Hey @susanshi I addressed this in a different branch as part of a refactor. Do you want those changes pulled into this PR? Or is it okay to include them in a follow up PR with the refactoring?
|
Discussion: Should the user be able to define multiple specific version of a certificate? spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://ratifyakvs5r.vault.azure.net/
certificates:
- name: ratify
versions:
- "1"
- "2"
- "5" |
Signed-off-by: Josh Duffney <[email protected]> Update pkg/keymanagementprovider/azurekeyvault/provider.go Co-authored-by: Akash Singhal <[email protected]> Signed-off-by: Josh Duffney <[email protected]> Update pkg/keymanagementprovider/azurekeyvault/provider.go Co-authored-by: Akash Singhal <[email protected]> Signed-off-by: Josh Duffney <[email protected]> Update pkg/keymanagementprovider/azurekeyvault/provider.go Co-authored-by: Akash Singhal <[email protected]> Signed-off-by: Josh Duffney <[email protected]> mod: replace literal struct with VersionInfo mod: combine versionHistory len and value checking fix: handle nil pointers Update pkg/keymanagementprovider/azurekeyvault/provider.go Co-authored-by: Shiwei Zhang <[email protected]> Signed-off-by: Josh Duffney <[email protected]> mod: add desc to public methods fix: backwards compatability for single cert fetching without list permissions fix: const for rawResponse mod: support version as tail in versionHistory mod: rm trailing whitespace Signed-off-by: Josh Duffney <[email protected]>
duffney
force-pushed
the
issue-1751/nversion
branch
from
3672ca0 to
562b5be
Compare
|
@susanshi @binbin-li @akashsinghal the PR is ready for a final round of review. :) |
Thanks for addressing my comments. PR looks good to me once other's comments are addressed. |
|
Just a side note: I completed the refactoring work in a separate branch. If everyone is good with the changes in this PR, I'll submit the refactoring as a different PR for review. The functionality doesn't change at all. I simply added additional methods and functions to improve readability and unit testing. |
Description
What this PR does / why we need it:
Adds a configuration option to the Azure Key Vault provider of KMP called
versionHistoryLimitthat allows the user to define the number of versions of a certificate and or key to store in the Ratify KMP cache for artifact verification. Needed to fully implement the refresh interval feature proposed in design doc for KMP periodic retrieval.Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #1751
Type of change
Please delete options that are not relevant.
Listpermission on AKV.How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration
Checklist:
Post Merge Requirements
Helm Chart Change