java CDK: build no longer downloads files from connector registry #34441
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
octavia-squidington-iii
added
area/connectors
postamar
force-pushed
the
postamar/remove-file-downloads-from-build
branch
from
3fdf276
to
89f99af
Compare
Coverage report for source-postgres
|
postamar
force-pushed
the
postamar/remove-file-downloads-from-build
branch
2 times, most recently
from
cad9d5b
to
8c129b9
Compare
postamar
force-pushed
the
postamar/remove-file-downloads-from-build
branch
from
80ad63c
to
92e6586
Compare
|
Confirmed with @alafanechere that the test logs will be scrubbed in github, but it's possible that the test logs end up in some other report, like a gradle scan, and remain unscrubbed. I'll investigate further. |
postamar
force-pushed
the
postamar/remove-file-downloads-from-build
branch
from
92e6586
to
a0bac97
Compare
postamar
force-pushed
the
postamar/remove-file-downloads-from-build
branch
from
a0bac97
to
4e1a328
Compare
|
@alafanechere could you review my last commit 4e1a328 please? |
There was a problem hiding this comment.
To what extent would it be harder / simpler to create this pattern within the containers under test instead of building the pattern in the Python logic?
I'm also wondering if we could declare this logic within the GradleTask step.
Slightly out of scope:
Would it also be worth configuring the log scrubbing at the connector image level at runtime: when the config is parsed
| @@ -326,3 +327,28 @@ def fail_if_missing_docker_hub_creds(ctx: click.Context) -> None: | |||
| raise click.UsageError( | |||
| "You need to be logged to DockerHub registry to run this command. Please set DOCKER_HUB_USERNAME and DOCKER_HUB_PASSWORD environment variables." | |||
| ) | |||
|
|
|||
|
|
|||
| def java_log_scrub_pattern(secrets_to_mask: List[str]) -> str: | |||
There was a problem hiding this comment.
Could you please add a unit test for this? 🙏
There was a problem hiding this comment.
Yes! sorry it slipped my mind
|
Thanks for taking a look! I'll add the unit test.
Unfortunately, the scrubbing needs to be applied to all logs, including the test framework, and not just the logs emitted by the connector container. Also, not all secrets are equal: the scrubbing should only apply to those secrets downloaded by ci_credentials, we don't want to scrub passwords for testcontainer instances (which furthermore are often dumb strings like "password" or "test").
The integration test task class would be its proper place but for some reason, dagger secrets are defined by the PipelineContext, which isn't something I'm a fan of. This is why I moved the pattern generation logic to
Indeed. @stephane-airbyte and I are also thinking about how to properly scrub secrets in prod. It's a bit more involved in that case. |
postamar
force-pushed
the
postamar/remove-file-downloads-from-build
branch
from
4e1a328
to
b96fa1b
Compare
|
I added a unit test and checked again that the scrubbing works (it does). |
postamar
force-pushed
the
postamar/remove-file-downloads-from-build
branch
from
b96fa1b
to
d6c9f7a
Compare
|
/publish-java-cdk
|
This reverts commit 7ebd202.
These files were part of the CDK build and formed a circular dependency: their content is updated based on the connector metadata when a connector is published. Incidentally, removing these also allows removing the dependencies on micronaut.
This PR is best reviewed commit-by-commit:
DestinationAcceptanceTest, which is the only downstream dependency, to rely on the connector'smetadata.yamlfile instead of the connector metadata json blob.specs_secrets_mask.yamlfile which was used by a custom log4j plugin to scrub secrets from the logs. The log config in this repo is now only used for testing and since tests are run via airbyte-ci the secrets will already be scrubbed by dagger.