Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perf(jans-pycloudlib): destroy old secret version instead of disable #8097

Merged
merged 3 commits into from
Mar 21, 2024
Merged

perf(jans-pycloudlib): destroy old secret version instead of disable #8097

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0eea0bb
perf(jans-pycloudlib): destroy old secret version instead of disable
iromli Mar 20, 2024
585334d
docs(kubernetes): update example of destroying Google secret versions
iromli Mar 20, 2024
07d20ce
Merge branch 'main' into cn-gsm-versioning
moabu Mar 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions docs/admin/kubernetes-ops/external-secrets-configmaps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,13 +125,13 @@ From the console, Go to `Secret Manager`> Click on `Create Secret` > Add a `name
#### Managing Versions

While there's no limitation on how many versions a secret can have, the recommendation is to keep the number as low as possible, e.g. 5 active versions.
If there are too many secret versions, it's best to disable older versions manually, for example:
If there are too many secret versions, it's best to destroy older versions manually, for example:

```bash
gcloud secrets versions list flex-secret --filter="state = enabled" --filter="createTime < '2024-03-02'" | grep "NAME:" | tr -d "NAME: " > versions_to_disable.txt
gcloud secrets versions list jans-secret --filter="state = enabled" --filter="createTime < '2024-03-02'" | grep "NAME:" | tr -d "NAME: " > versions_to_destroy.txt
while read -r line; do
gcloud secrets versions disable "$line" --secret=flex-secret
done < "versions_to_disable.txt"
gcloud secrets versions destroy "$line" --secret=jans-secret
done < "versions_to_destroy.txt"
```

### Vault
Expand Down
18 changes: 13 additions & 5 deletions jans-pycloudlib/jans/pycloudlib/config/google_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@
from functools import cached_property

from google.cloud import secretmanager
from google.api_core.exceptions import AlreadyExists, NotFound
from google.api_core.exceptions import AlreadyExists
from google.api_core.exceptions import NotFound
from google.api_core.exceptions import FailedPrecondition

from jans.pycloudlib.config.base_config import BaseConfig
from jans.pycloudlib.utils import safe_value
Expand Down Expand Up @@ -220,10 +222,10 @@ def add_secret_version(self, payload: _t.AnyStr) -> bool:
)

logger.info("Added secret version: {}".format(response.name))
self._disable_old_versions(parent)
self._destroy_old_versions(parent)
return bool(response)

def _disable_old_versions(self, parent):
def _destroy_old_versions(self, parent):
# list of version.state enum
#
# - STATE_UNSPECIFIED = 0
Expand Down Expand Up @@ -251,7 +253,13 @@ def _disable_old_versions(self, parent):
# hence we only disable 1 version after allowed enabled versions are reaching threshold
logger.info(
f"The soft-limit for max. versions (currently set to {self.max_versions}) has been reached; "
f"disabling previous version {version.name} (state={version.state.name})"
f"destroying previous version {version.name} (state={version.state.name})"
)
self.client.disable_secret_version(request={"name": version.name})

try:
self.client.destroy_secret_version(request={"name": version.name})
except FailedPrecondition as exc:
# re-raise error if the state is not DESTROYED (400 status code)
if exc.code != 400:
raise exc
break
18 changes: 13 additions & 5 deletions jans-pycloudlib/jans/pycloudlib/secret/google_secret.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.exceptions import InvalidTag
from google.cloud import secretmanager
from google.api_core.exceptions import AlreadyExists, NotFound
from google.api_core.exceptions import AlreadyExists
from google.api_core.exceptions import NotFound
from google.api_core.exceptions import FailedPrecondition

from jans.pycloudlib.secret.base_secret import BaseSecret
from jans.pycloudlib.utils import safe_value
Expand Down Expand Up @@ -286,7 +288,7 @@ def _add_secret_version_multipart(self, payload: _t.AnyStr) -> bool:
request={"parent": parent, "payload": {"data": fragment}}
)
logger.info(f"Added secret version: {response.name}")
self._disable_old_versions(parent)
self._destroy_old_versions(parent)
return True

def _prepare_secret_multipart(self, part: int) -> str:
Expand Down Expand Up @@ -351,7 +353,7 @@ def _maybe_legacy_payload(self, payload: bytes) -> dict[str, _t.Any]:
data = json.loads(payload_str)
return data

def _disable_old_versions(self, parent):
def _destroy_old_versions(self, parent):
# list of version.state enum
#
# - STATE_UNSPECIFIED = 0
Expand Down Expand Up @@ -379,7 +381,13 @@ def _disable_old_versions(self, parent):
# hence we only disable 1 version after allowed enabled versions are reaching threshold
logger.info(
f"The soft-limit for max. versions (currently set to {self.max_versions}) has been reached; "
f"disabling previous version {version.name} (state={version.state.name})"
f"destroying previous version {version.name} (state={version.state.name})"
)
self.client.disable_secret_version(request={"name": version.name})

try:
self.client.destroy_secret_version(request={"name": version.name})
except FailedPrecondition as exc:
# re-raise error if the state is not DESTROYED (400 status code)
if exc.code != 400:
raise exc
break