Skip to content

add the ability to specify sensitive data in the schema #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add the ability to specify sensitive data in the schema #192

wants to merge 2 commits into from

Conversation

@henderiw
Copy link
Contributor

@henderiw henderiw commented May 28, 2024

add sensitive data capabilities to hide this information in the configserver.

@henderiw henderiw linked an issue May 28, 2024 that may be closed by this pull request
provide an ability to mask sensitive info like passwords/keys #189
Open
@alexandernorth alexandernorth mentioned this pull request May 8, 2025
Closed
alexandernorth
alexandernorth reviewed May 15, 2025
View reviewed changes
apis/config/config_types.go
type ConfigBlobSensitiveData struct {
// Path defines the path to the sensitive data leaf
Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=config"`
// Selects a key of a secret in the pod's namespace
Copy link
Contributor

@alexandernorth alexandernorth May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should probably search the target/config resource namespace, or use the SecretReference with a key selector so that the namespace can also be defined

apis/inv/v1alpha1/schema_types.go
// can be excludes
Schema SchemaSpecSchema `json:"schema" yaml:"schema"`
// SensitivePaths defines the paths in the schema that have sensitive data
SensitivePaths []string `json:"sensitivePaths,omitempty" yaml:"schema,omitempty"`
Copy link
Contributor

@alexandernorth alexandernorth May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be auto-filled by the config paths too? I would assume so, and extra ones can be defined here

@henderiw
Copy link
Contributor Author

henderiw commented Sep 15, 2025

manage the sensitive paths through a dedicated CR: list of:

  • path: xpath
    secretReference or None

Role of the ConfigServer:

  • create a CR with the paths and resolve secrets or no value if not secret was set -> goal is to hint on asking the values (this should be a fairly high priority to always win)
  • we might need to indicate this is a secret reference in the sdc proto

Role of the DataServer:

  • replaces the paths through the config override
  • masks these paths in running config or deviations

Other?

@alexandernorth
Copy link
Contributor

alexandernorth commented Sep 15, 2025

manage the sensitive paths through a dedicated CR: list of:

  • path: xpath
    secretReference or None

Role of the ConfigServer:

  • create a CR with the paths and resolve secrets or no value if not secret was set -> goal is to hint on asking the values (this should be a fairly high priority to always win)
  • we might need to indicate this is a secret reference in the sdc proto

Role of the DataServer:

  • replaces the paths through the config override
  • masks these paths in running config or deviations

Other?

Looks like what we discussed in the call - only question is about the config-server creating a CR: Am I understanding correctly that we will have a new SecretConfig resource, which is reconciled by config-server and will create a config intent through replacing SecretReferences with the value, or indicating a protected path?

@henderiw
Copy link
Contributor Author

henderiw commented Sep 15, 2025

#192 (comment)

I am not sure we do a dedicated CR or extend the config CR with the paths. it allows to interleave this in a given config.

If the data server does the merging/ masking I feel it does not matter and hence we have more flexibility to the user as they can have different teams also for different parts of the config.

@henderiw
Copy link
Contributor Author

henderiw commented Sep 21, 2025

So I feel it is best to handle the sensitive config in a seperate CRD, but there can be multiple to allow different teams to author different pieces of the config. This also Is easier for deviation handling, etc etc..

Do we store this in the same way in the apiserver, meaning not in etcd ?

Can we also assume these paths are always YANG leafs ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexandernorth alexandernorth alexandernorth left review comments

@steiler steiler Awaiting requested review from steiler steiler is a code owner

@karimra karimra Awaiting requested review from karimra

@hansthienpondt hansthienpondt Awaiting requested review from hansthienpondt hansthienpondt is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

provide an ability to mask sensitive info like passwords/keys

3 participants

@henderiw @alexandernorth