Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add project scoped secret validation to secrets #602

Open
JonCrowther opened this issue Jan 30, 2025 · 0 comments
Open

Add project scoped secret validation to secrets #602

JonCrowther opened this issue Jan 30, 2025 · 0 comments
Assignees
@JonCrowther
Labels
team/collie
Milestone
v2.12.0

Comments

@JonCrowther
Copy link
Contributor

Summary

Parent Issue: rancher/rancher#48568

Project scoped secrets are secrets that get propagated to all project namespaces. They are currently implemented with Norman validation but can be made by creating a secret in the project namespace in the local cluster. When created using kubectl, there is no validation applied. It should have the same level of validation as Norman.

Considerations

Only secrets created in the project namespace in the local cluster should have this validation applied. No other secrets require this validation.

Ideally, the webhook should avoid running on all secrets as that might cause slowdowns.

Existing Norman Validations

The following are the validations being done by Norman taken from

Not all need a 1:1 equivalent and each should be evaluated before being added to webhook.

Opaque Secrets

Create

For all namespaces:

  • Project ID must correspond to an existing project namespace
  • Name of the secret is required and must be non-empty
  • If Cluster ID is bad, then propagation doesn't happen, but the secret gets created in the project namespace

For single namespace:

  • Cluster ID must correspond to an existing cluster
  • Name of the secret is required and must be non-empty
  • Namespace of the secret is required, must be non-empty, and the namespace must exist
  • If Project ID is bad, then the secret gets created fine

Update

For all namespaces:

  • Secret name must correspond to an existing secret
  • Project ID must correspond to an existing project namespace

For single namespace:

  • Cluster ID must correspond to an existing cluster
  • Secret name must correspond to an existing secret
  • Namespace must exist
  • Namespace (the project ID part) must exist

Certificates

Create

For all namespaces:

  • Project ID must correspond to an existing project namespace
  • Key must be present, in PEM format and parsed (a lot of validation)
  • Cert must be present, in PEM format and parsed (a lot of validation)
  • Name is not required - if unspecified, Rancher generates it

For a single namespace:

  • Key must be present, in PEM format and parsed (a lot of validation)
  • Cert must be present, in PEM format and parsed (a lot of validation)
  • Name is not required - if unspecified, Rancher generates it

Registry Secret

Create

For all namespaces:

  • Project ID must correspond to an existing project namespace
  • The registries object must be present but not have entries, and entries aren't validated
  • Name is not required - if unspecified, Rancher generates it

Update

For all namespaces:

  • Body may be completely empty
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JonCrowther JonCrowther

Labels
team/collie
Projects
None yet
Milestone
v2.12.0
Development

No branches or pull requests
2 participants
@JonCrowther @samjustus