wearedevx / keystone Goto Github PK
View Code? Open in Web Editor NEWSecrets synced and safe.
Home Page: https://keystone.sh
License: MIT License
Secrets synced and safe.
Home Page: https://keystone.sh
License: MIT License
with this output
$ ks file
Failed to render template files list (template: files list:3:29: executing "files list" at <8>
: wrong type for value; expected string; got keystonefile.FileKey)
There is going to be a need for a request for fetching a user public key. Since this operation will have to be done on every message fetch, shouldn’t we cache those public keys ?
Then lands the question of cache invalidation of course…
Currenty key pairs are bound to the third-party account used to login. It unfortunately bounds an account to only one device.
To allow a user to use Keystone smoothly on multiple devices, a user could have more one key pair, and not have it bound to a third party service.
.config
; Rework the DB relation to all this (maybe);ks keys
, to list keys; ks keys revoke [key index]
, to revoke a key;Push secrets from the command line. This avoid keystone to store the secrets for a long time on its server.
Push one secret as a message, if message is too large split it
Samuel could send new secret being a new member and not having any secret in cache.
Current behaviour stops the init command if the project’s keystone.yml
exists. This allows for cases where the project seems initialized but the missing directories and file (like the current environments) lead to an unusable CLI.
No matter the other files, init
should create the missing ones.
To handle multiple repositories situations, it is necessary that multiple ci services be setup.
Therefore, ks ci setup
is a goner, replaced by:
ks ci add
: to add a serviceks ci rm
: to remove a serviceks ci
: to list currently configured servicesOn top of that, ks ci send
should send the current environment to all configured services. Maybe a switch could allow to send to only one service (or a defined list of services), but is there a case for it ?
Unread messages should be deleted after a week
JWT Token expiration is currently not handled at all, leading to confusing errors such as 'Project doesn't exist', even though it is known to exist.
cli/internal
ci
command (ks ci [command]
)push-ci
to ci send
(ks ci send
)ks ci setup
ks ci reset
, ks ci clean
ks ci send
send all (prod and staging) environments or only the active one (or the one specified by --env
?I listed secrets with ks secret
and saw that there already was a MANDRILL_API_KEY
but was unused (not in the keystone.yml
.
I wanted to use it, so I went for ks secret add MANDRILL_API_KEY
, but was welcome by a first error stating ks secret add
requires two positional arguments.
So I went for ks secret add MANDRILL_API_KEY ""
, but then, this happened :
keystone develop [$]
❯ ks secret add MANDRILL_API_KEY ""
{MANDRILL_API_KEY false map[dev:*** prod:** staging:***] false}
The secret already exist. Values are:
dev: ***
prod: ***
staging: ***
✗ Do you want to override the values:
ERROR
I was asked whether I wanted to overwrite the existing values and said no.
I expected several things to go differently :
ks secret add
to accept one argument and use prompts for the secret value, or simply ask me to use the existing values, and add the secret to the keystone.yml
ks secret add <secret name> <secret value>
to add the secret to the keystone.yml
and say SUCCESS
when I say "no" to "Do you want to overwrite the exiting values?"A user should be able to use its Gitlab account to connect.
Secrets are stored in .keystone/<env>/.env
file.
And files are store in .keystone/<env>/<file-path>
.
Conflict if file-path is .env
The NPM install doesn't work but the binary installer does.
We should ask windows users to download the binary, launch the installer and set their path to the program located in Program Files
setx /M PATH "%PATH%;C:\Something\bin"
To handle updates, we could detect the user system and ask them to download the latest binary if any instead of asking them to run the npm -g i @keystone/cli
command.
https://docusaurus.io/ seems like a good option
rm should not remove secret from the cache, just in keystone.yml
purge should remove secret from cache
What should a developer
, a devops
or an admin/owner
should be allowed to do on the dev
, ci
, staging
and prod
environments.
Requirements
Flow:
WARNING: cgroup v2 is not fully supported yet, proceeding with partial confinement
Given the following project structure:
root
├── .ksconfig
└── src
└── index.js
Calling ks env checkout default
from root/src
will fail.
ks
should walk up the directory strucuture to find the closest .ksconfig
in the tree
.keystone
to .gitignore
keystone.yaml
---
projectId: djkfhkqjhgjhdgsjhgdsf
env:
- key: ALGOLIA_TOKEN
strict: true
- SENTRY
files:
- config/credentials.json
- config/cert.ca
options:
strict: true
.keystone/
.keystone/
|- environment // holds the current environment name
|- cache/
|- .env // cache for all the environment variables
|- [...other files] are secrets files to cache
We set values for each environment for secret.
But if we want to stop process (with ctrl+c), cli doesn't kill process. Same as "enter" press.
There is currently no way to "destroy" a project. Should not there be a ks destroy
? Or ks delete-project
(so that’s harder to type and we are sure the user actually meant it when they type that) ?
$ ks fetch
sync .keystone folder
Otherwise, other user will think new secrets have been added
There is currently no way to set the content of a file for a single environment. The current only solution would be to ks file add
it but the content of the file will be asked for all the environment, as the --env
flag as no effect on ks file add
.
One option would be to mimic ks secret set
with a ks file set
that would set the content for the current environment, automatically enabling the --env
switch.
An other is to make file add
sensible to --env
switch, requiring some rework of how this flag is currently handled : it would affect all commands where the --env
works.
A third and rather wild one, would be to have a deamon monitoring keystoned files and send messages to members when cache content is modified. But I’m afraid that would require a lotta work.
Due to the production context (Google Cloud Run) requests can take several seconds (2 to 3) because the server has to be "cold started".
It would be interesting to have some kind of a loader displayed if a requests takes more than a second to complete.
The loader should not be used in ks source, tho
See: https://golang.org/pkg/log/
Has timestamp and file name facilities.
$ ks fetch
sync .keystone folder
$ eval(ks source)
$ ks file add config/myfile
A user should be able to sign with its github account
When a file is deleted locally, the user can run 'ks push' to remove it from storage
API
new route /roles
CLI
new command : ks role -> list roles
maybe later has CRUD ops
ks member add -> help lists roles
for each members prompts the role
ks member add --role developer
ks member set-role developer
ks secret
and ks file
should also show files in cache (with a color). So that the user may be informed some secrets they might need is already available
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.