Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove SAS dependency for Data Protection blob access #555

Merged
merged 7 commits into from
Apr 17, 2024
Merged

Remove SAS dependency for Data Protection blob access #555

merged 7 commits into from
Apr 17, 2024

Conversation

DrizzlyOwl
Copy link
Collaborator

@DrizzlyOwl DrizzlyOwl commented Apr 4, 2024
edited
Loading

Why do we need this?
The data protection keys were previously uploaded to Azure Storage as a Blob, using a Connection String that is expected to have a valid SAS Token appended to it. If that SAS token expires then the app will not have the ability to rotate/refresh the keys in Storage.

Without the ability to update the or access the key in the Blob Storage, the containers will get out of sync if there is more than 1 instance of the app running in a load balanced configuration.

What does this change do?

  • Deploys a 'File Share' that is shared between all containers. This is mounted at /srv/app/storage.
  • Change the Data Protection method to use the Local Filesystem (where the file share is mounted)
    • This means that all replicas of the app can share the same key
  • Deployed a Key Vault that contains a Cryptographic Key which will encrypt the master data protection key at rest.
  • If the Key Vault Key is supplied to the app, then the Data Protection keys will be encrypted at rest

@DrizzlyOwl DrizzlyOwl marked this pull request as draft April 8, 2024 14:38
@DrizzlyOwl DrizzlyOwl force-pushed the auth-blob-storage branch 2 times, most recently from 0f6c319 to 22d274c Compare April 16, 2024 15:21
@DrizzlyOwl
Updated Storage.Blobs package from 12.16.0 to 12.19.1
86da9f6 
Use identity credentials to protect master keyring

Added missing appsetting for Key Vault Key
@DrizzlyOwl
Switch to using local filepath for storage of keys.xml
d37dadf
@DrizzlyOwl DrizzlyOwl marked this pull request as ready for review April 16, 2024 15:33
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Apr 17, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@DrizzlyOwl DrizzlyOwl merged commit 1c455c0 into master Apr 17, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paullocknimble paullocknimble paullocknimble approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DrizzlyOwl @paullocknimble