Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(attestation/api): Changes to signing key backup service + chalk client side bindings #121

Merged
merged 26 commits into from
Jan 15, 2024
Merged

refactor(attestation/api): Changes to signing key backup service + chalk client side bindings #121

merged 26 commits into from
Jan 15, 2024

Conversation

MyNameIsMeerkat
Copy link
Contributor

@MyNameIsMeerkat MyNameIsMeerkat commented Jan 3, 2024
edited
Loading

Issue

No public issues associated with this PR

Description

This PR covers a number of changes related to the refactor of the signing key backup service (the artist formerly known, confusingly, as 'secrets manager'). Notably:

  • Changed the authentication model of the API to remove the OIDC device code flow from the CLI and instead rely on pre-generated API tokens contained in a chalk profile
  • Support for 'refresh' tokens has been removed for the immediate term
  • api.nim is no longer needed and was removed
  • As a result of the above, two chalk commands login and logout have been removed
  • Also removed dependency on QRGen library as that is no longer needed with no device code flow
  • A variety of variables and chalk keys have been renamed away from secret manager related names to signing key backup service related names, this should hopefully provide better clarity of code and reduce overuse of 'secret managers' everywhere.
  • What was previously referred to as the Chalk API is now refered to as the Chalk Data API to better distinguish it from other APIs
  • Notable chalk keys/config vars that have changed are:
    • CHALK_API_KEY -> CHALK_DATA_API_KEY
    • use_secret_manager -> use_signing_key_backup_service
    • secret_manager_url -> signing_key_backup_service_url
    • secret_manager_timeout -> signing_key_backup_service_timeout
  • Updated the URL associated with the API endpoint
  • Updated endpoint path from /secrets-manager to /signing-key-backup
  • Renamed test nosecretmanager.c4m to nosigningkeybackup.c4m

Testing

  • rm chalk{.key,.pub} # ensure no chalk.key or chalk.pub files are already present
  • chalk load config_file_with_jwt.c4m # load chalk data api token via config & new auth stanza
  • chalk --trace setup # gens keys locally, encrypts, & saves them to service
  • chalk --trace setup # retrieves saved keys from service, decrypts

@MyNameIsMeerkat MyNameIsMeerkat self-assigned this Jan 3, 2024
@MyNameIsMeerkat MyNameIsMeerkat marked this pull request as ready for review January 3, 2024 19:05
@MyNameIsMeerkat MyNameIsMeerkat requested a review from viega as a code owner January 3, 2024 19:05
miki725
miki725 reviewed Jan 11, 2024
View reviewed changes
src/attestation.nim
Comment on lines +147 to +148
retries = 2,
firstRetryDelayMs = 100)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sweet I see you are already using retries 🎉

@MyNameIsMeerkat MyNameIsMeerkat merged commit 0bb9a5a into main Jan 15, 2024
2 checks passed
@MyNameIsMeerkat MyNameIsMeerkat deleted the mynameismeerkat/rm_chalk_secret_mgr branch January 15, 2024 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@miki725 miki725 miki725 left review comments

@viega viega viega approved these changes

Assignees

@MyNameIsMeerkat MyNameIsMeerkat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MyNameIsMeerkat @miki725 @viega