Skip to content

Root encrypted data to kms encryption#2827

Merged
maidul98 merged 22 commits intoInfisical:mainfrom
akhilmhdh:feat/enc-migration
Feb 11, 2025
Merged

Root encrypted data to kms encryption#2827
maidul98 merged 22 commits intoInfisical:mainfrom
akhilmhdh:feat/enc-migration

Conversation

@akhilmhdh
Copy link
Copy Markdown
Member

@akhilmhdh akhilmhdh commented Dec 1, 2024

Description 📣

This PR adds migration to remove all directly root encrypted schemas with our new kms architecture. This also allows migrations to use kms features.

All the unused fields are kept nullable and not dropped. Will be doing a rolling migration for this to remove it later.

Type ✨

  • Bug fix
  • New feature
  • Improvement
  • Breaking change
  • Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

@akhilmhdh akhilmhdh requested a review from maidul98 December 1, 2024 17:43
@akhilmhdh akhilmhdh self-assigned this Dec 1, 2024
@gitguardian
Copy link
Copy Markdown

gitguardian Bot commented Dec 1, 2024
edited
Loading

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

maidul98
maidul98 reviewed Dec 11, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@maidul98 maidul98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some small comments. For manual testing i tried with:

  • ladap config [good]
  • dynamic secret with pg [seems to save and all but says the password is wrong?]
  • secret rotation [seems to save and all but says the password is wrong?]
  • webhooks [good]

Also what about integrations and are there any other items we are missing on this pass? What about the server admin slack secrets?
CleanShot 2024-12-10 at 21 34 41@2x

Comment thread backend/src/db/migrations/utils/env-config.ts
Comment thread backend/src/db/migrations/utils/env-config.ts
Comment thread backend/src/db/schemas/ldap-configs.ts
Comment thread backend/src/db/schemas/webhooks.ts
Comment thread backend/src/ee/routes/v1/ldap-router.ts
Comment thread backend/src/services/webhook/webhook-fns.ts
Comment thread backend/src/db/migrations/utils/ring-buffer.ts Outdated
Comment thread backend/src/db/migrations/20241127091918_webhook-to-kms.ts
Comment thread backend/src/db/migrations/20241127091918_webhook-to-kms.ts
Comment thread backend/src/db/migrations/20241128090536_secret-rotation-to-kms.ts
sheensantoscapadngan
sheensantoscapadngan reviewed Jan 31, 2025
View reviewed changes
Comment thread backend/src/db/migrations/20250109104500_webhook-to-kms.ts
Comment thread backend/src/db/migrations/20250109104502_identity-oidc-auth-to-kms.ts
Comment thread backend/src/db/migrations/20250109104502_identity-oidc-auth-to-kms.ts
Comment thread backend/src/db/migrations/20250109104502_identity-k8-auth-to-kms.ts
Comment thread backend/src/db/migrations/20250109104500_webhook-to-kms.ts
Comment thread backend/src/db/migrations/20250109104508_directory-config-to-kms.ts Outdated
Comment thread backend/src/db/schemas/ldap-configs.ts Outdated
Comment thread backend/src/db/schemas/saml-configs.ts
Comment thread backend/src/ee/routes/v1/oidc-router.ts
maidul98
maidul98 reviewed Feb 6, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@maidul98 maidul98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The old way of running the migrations should still work. If no migrations are needed, then it should just skip. If it needs some environment varables, then we should throw the error telling them.

You can try this behavior by uisng our old .dev.yaml docker compose file.

Also got this at some point when i tried to boot up:

CleanShot 2025-02-06 at 00 50 31@2x

Comment thread backend/src/db/migrations/utils/env-config.ts
Comment thread backend/src/services/super-admin/super-admin-service.ts
sheensantoscapadngan
sheensantoscapadngan reviewed Feb 6, 2025
View reviewed changes
Comment thread backend/src/services/super-admin/super-admin-service.ts Outdated
@sheensantoscapadngan
Copy link
Copy Markdown
Member

sheensantoscapadngan commented Feb 6, 2025

admins should be able to migrate down without defining the new envs

maidul98
maidul98 reviewed Feb 10, 2025
View reviewed changes
Comment thread backend/package.json
maidul98
maidul98 reviewed Feb 10, 2025
View reviewed changes
Comment thread backend/src/db/rename-migrations-to-mjs.ts
maidul98
maidul98 approved these changes Feb 11, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@maidul98 maidul98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@maidul98 maidul98 merged commit 4685132 into Infisical:main Feb 11, 2025
@maidul98 maidul98 mentioned this pull request Feb 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maidul98 maidul98 maidul98 approved these changes

@sheensantoscapadngan sheensantoscapadngan sheensantoscapadngan left review comments

Assignees

@akhilmhdh akhilmhdh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akhilmhdh @sheensantoscapadngan @maidul98