Add enhanced sensitive data handling#364
Conversation
5c3ca4b to
ece6f8c
Compare
|
@ilya-lesikov Hey, I hope it's alright to propose a change without creating an issue. We tried to use Nelm, but the existing sensite diff functionality is rather limited. |
|
@kuzaxak Hi, thanks for the PR, looks interesting. I'll look into it. Would've been better to create an issue first so we decide on the design, but whatever. |
Thanks! I was thinking that it might be better to reuse existing annotation and determine, based on the type, if it's a bool, then use the hide all function; if it's a string that can be parsed into an array, then treat it as a JSON path. |
|
Hi, looked through it, love the feature, thank you. Can we make a few design changes? I think this feature is so flexible that it makes "werf.io/sensitive" kinda obsolete. How about we do this:
That's quite a few changes, but if this is done I'll merge it. I'll probably need to add CONTRIBUTORS.md and mention that it's best if we decide on the design first, since it's not easy to come up with it from the get-go. Pretty close overall, thanks again. |
Ofc, this is just my initial proposal.
To clarify, JSON path or glob string like
Nice idea! I will do all the listed changes.
Do you expect a discussion to be opened or just an issue? As I have a few more proposals :) |
Well, JSONPath does look kinda uglier. But at least it's flexible, unambiguous and standard. Let's stick to the JSONPath version. We'll compensate for it in the docs. And we'll stick to JSON Path in all the other features like this one, when the user needs to select some fields in JSON/YAML.
Great :)
An issue is fine. |
730ae12 to
7f99f12
Compare
|
@ilya-lesikov Done. I implemented full JSONPath support separated by commas and added some tests to ensure various structures are replaced correctly. Unfortunately, kube API JSONPath isn't working well with slices, and I used an external library that handles that. Hashing works too, now diff detects the value change even if the length matches. |
|
@ilya-lesikov hey, could you please check it? |
|
@kuzaxak Sorry, was pretty busy lately. Looks good, only few changes needed. |
7f99f12 to
1100c92
Compare
Functionality adds similar to [helm-diff][1] style of diffing sensitive data. Previously, NELM handled sensitive data with an all-or-nothing approach: - Resources marked as sensitive (via `werf.io/sensitive: "true"`) were completely hidden - Secrets were entirely hidden, providing no visibility into structural changes - No way to selectively redact only sensitive fields while showing the rest This made it difficult to: - Track changes in Secret keys or metadata - See the size of sensitive data changes - Selectively protect only truly sensitive fields in complex resources Added support for `werf.io/sensitive-paths` annotation that accepts a JSONPath expressions: ```yaml metadata: annotations: werf.io/sensitive-paths: $.spec.template.spec.containers[*].env[?(@.name=='API_KEY')].value,$.data.password ``` Sensitive values are replaced with size information: ``` password: SENSITIVE (len 12 bytes) ``` I used [ojg][2] library as JSONPath as kube client do not support native mutation for complex structures like slices. [1]: https://github.com/databus23/helm-diff [2]: https://github.com/ohler55/ojg Signed-off-by: Vladimir Kuznichenkov <kuzaxak.tech@gmail.com>
1100c92 to
e55ff90
Compare
|
@ilya-lesikov implemented the last comments. Could you please check one more time? |
ilya-lesikov
left a comment
There was a problem hiding this comment.
Tried it out, the only issue I found is this:
❯ cat chart/templates/test.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: to-create
annotations:
werf.io/sensitive-paths: '$.data[*]'
data:
key1: {{ uuidv4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: to-update
annotations:
werf.io/sensitive-paths: '$.data[*]'
data:
key1: {{ uuidv4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: to-delete
annotations:
werf.io/sensitive-paths: '$.data[*]'
data:
key1: {{ uuidv4 }}
❯ nelm release install -n jkldfjkdkjjkdk -r jkldfj .helm
❯ NELM_FEAT_FIELD_SENSITIVE=false nelm release plan install -n jkldfjkdkjjkdk -r jkldfj .helm
Planning release install "jkldfj" (namespace: "jkldfjkdkjjkdk")
┌ Create ConfigMap/to-create
│ + apiVersion: v1
│ + kind: ConfigMap
│ + metadata:
│ + name: to-create
│ + namespace: ""
└ Create ConfigMap/to-create
┌ Update ConfigMap/to-delete
│ <hidden insignificant changes>
└ Update ConfigMap/to-delete
┌ Update ConfigMap/to-update
│ <hidden insignificant changes>
└ Update ConfigMap/to-update
Planned changes summary for release "jkldfj" (namespace: "jkldfjkdkjjkdk"):
- create: 1 resource(s)
- update: 2 resource(s)Otherwise works great. If you push the fix, please don't force-push it, just add new commits, this way it's easier for me to review only the new changes. I'll squash all the extra commits just before merging.
|
To clarify, you mean that the resource got hidden as And in the case of creation, it renders metadata only without a data section? |
|
By the way, do you have any plans to create integration tests? I see you have some frameworks in dependencies. Perhaps it is worth covering this functionality with tests. I've added a small set of unit tests, but I am not sure if it is adequate and matches your expectations. |
|
Tests are good, don't bother. Ultimately I was planning to use ginkgo/gomega for tests, like we do in werf and other places, e.g.: https://github.com/deckhouse/delivery-kit-sdk/blob/main/pkg/signature/elf/inhouse/file_test.go But that's not a priority now. Nelm is mostly tested in werf for now, since nelm is the werf deployment engine, so if anything breaks I usually see it there. |
Feature flag shouldn't impact the way how we are redacting objects using a new annotation.
|
@ilya-lesikov fixed a bug and covered it with a test to validate. Missed that case originally, thanks for checking! |
|
@kuzaxak Merged, thanks! |
Functionality adds similar to helm-diff style of diffing sensitive
data.
Previously, NELM handled sensitive data with an all-or-nothing approach:
werf.io/sensitive: "true") werecompletely hidden
This made it difficult to:
Added support for
werf.io/sensitive-pathsannotation that accepts aJSONPath expressions:
Sensitive values are replaced with size information:
I used ojg library as JSONPath as kube client do not support
native mutation for complex structures like slices.