Improvements to parameter encryption to support per-namespace keys

[rabbah]

This PR extends @mcdan's work from #4756 to allow for per-namespace encryption keys. Each commit is an incremental refactoring which might help in understanding the progression.

There are two singleton references to the encryption configuration - these can be replaced by identity-specific encryption configurations but requires additional work on extending the subject schema. I will stage that in a subsequent PR.

The refactoring here is intended to be semantic preserving.

Description

Related issue and scope

• I opened an issue to propose and discuss this change (enhance parameter encryption to support per-namespace keys #4854)

My changes affect the following components

• API
• Controller
• Message Bus (e.g., Kafka)
• Loadbalancer
• Invoker
• Intrinsic actions (e.g., sequences, conductors)
• Data stores (e.g., CouchDB)
• Tests
• Deployment
• CLI
• General tooling
• Documentation

Types of changes

• Bug fix (generally a non-breaking change which closes an issue).
• Enhancement or new feature (adds new functionality).
• Breaking change (a bug fix or enhancement which changes existing behavior).

Checklist:

• I signed an Apache CLA.
• I reviewed the style guides and followed the recommendations (Travis CI will check :).
• I added tests to cover my changes.
• My changes require further changes to the documentation.
• I updated the documentation where necessary.

[rabbah]

this is dead code.

[rabbah]

@mcdan this removes getMap and restricts access to the entity package.

[rabbah]

this change is mostly white space.

[rabbah]

@mcdan by partitioning the arguments into locked and unlocked, I think the approach is simpler. The same information is crossing the message bus, but as two separate maps: the arguments, and the list of ones that are locked.

[mcdan]

Yea that's a simpler way of looking at it but that changed the wire protocol for kafka right?

[codecov-io]

Codecov Report

Merging #4855 into master will decrease coverage by 47.10%.
The diff coverage is 50.00%.

@@             Coverage Diff             @@
##           master    #4855       +/-   ##
===========================================
- Coverage   83.10%   36.00%   -47.11%     
===========================================
  Files         202      202               
  Lines        9811     9786       -25     
  Branches      426      409       -17     
===========================================
- Hits         8153     3523     -4630     
- Misses       1658     6263     +4605     

Impacted Files	Coverage Δ
...org/apache/openwhisk/core/entity/WhiskAction.scala	81.42% <ø> (-10.93%)	⬇️
...isk/core/controller/actions/PrimitiveActions.scala	0.00% <0.00%> (-86.17%)	⬇️
...enwhisk/core/loadBalancer/InvokerSupervision.scala	0.00% <0.00%> (-89.44%)	⬇️
...a/org/apache/openwhisk/core/entity/Parameter.scala	66.19% <42.85%> (-22.58%)	⬇️
...he/openwhisk/core/entity/ParameterEncryption.scala	26.31% <51.72%> (-68.52%)	⬇️
.../org/apache/openwhisk/core/connector/Message.scala	64.28% <100.00%> (-11.91%)	⬇️
...rg/apache/openwhisk/core/entity/WhiskPackage.scala	58.33% <100.00%> (-38.34%)	⬇️
.../openwhisk/core/containerpool/ContainerProxy.scala	69.33% <100.00%> (-25.85%)	⬇️
...a/org/apache/openwhisk/common/ConfigMapValue.scala	0.00% <0.00%> (-100.00%)	⬇️
.../apache/openwhisk/core/controller/Namespaces.scala	0.00% <0.00%> (-100.00%)	⬇️
... and 141 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update db59f6f...4c5ffa9. Read the comment docs.

[rabbah]

@mcdan might you have a chance to take a look at this PR?

[mcdan]

Yea that's a simpler way of looking at it but that changed the wire protocol for kafka right?

[style95]

I think operators would require two different sets of controllers, Kafkas, and invokers as this would change the ActivationMessage format.

• reference: Improvements to parameter encryption to support per-namespace keys #4855 (comment)

[style95]

It's not directly related to the change.
I am just curious if there is any benefit to having this explicit singleton while an object is already a singleton.

[rabbah]

I think you're objecting to the name singleton - we need to store the config in the object. I can rename the variable.

[style95]

Never mind.
I am fine with the name as well.

[rabbah]

I think operators would require two different sets of controllers, Kafkas, and invokers as this would change the ActivationMessage format.

You mean for a roll out? We've changed the kafka wire format before.
If this is a concern, we can hold this change over to post 1.0.

[rabbah]

I think you're objecting to the name singleton - we need to store the config in the object. I can rename the variable.

[style95]

I think operators would require two different sets of controllers, Kafkas, and invokers as this would change the ActivationMessage format.

You mean for a roll out? We've changed the kafka wire format before.
If this is a concern, we can hold this change over to post 1.0.

I am fine with this.
We already have managed this kind of change as you said.
I think so does the other downstream.
I just wanted to let them know this is the change.

[bdoyle0182]

Could this just be an option so it doesn't mess up backwards compatibility? Then make it non-optional in a subsequent commit. I'd be fine if we had the option commit before 1.0.0 and then you just immediately have a non-option commit (this commit) following it which is what's in 1.0.0. It would make our lives a lot easier since we don't have the capability to have two openwhisk clusters set up at once to do a deployment. I'm going to have to bring this up though with my team because the project operates that these things can be done so we can't keep up with this forever and will need to figure something out.

[rabbah]

That's OK but perhaps not necessary? I think your concern is rolling updates. If the controller is updated first it serializes the message but the invoker deserializes it without the locked args field. If you update the invokers first, they can accept these messages but the controller doesn't send any. If there are no encrypted args, the map is empty anyway.

[rabbah]

We can also revert this PR and merge it after 1.0.

[bdoyle0182]

Yea that's totally fine I wasn't thinking. I just did the rolling update for the last bump. As long as we have a rolling update between controllers and invokers it's not any issue

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 50.00000% with 37 lines in your changes missing coverage. Please review.

Project coverage is 36.00%. Comparing base (db59f6f) to head (4c5ffa9).
Report is 260 commits behind head on master.

Files with missing lines	Patch %	Lines
...a/org/apache/openwhisk/core/entity/Parameter.scala	42.85%	20 Missing ⚠️
...he/openwhisk/core/entity/ParameterEncryption.scala	51.72%	14 Missing ⚠️
...enwhisk/core/loadBalancer/InvokerSupervision.scala	0.00%	2 Missing ⚠️
...isk/core/controller/actions/PrimitiveActions.scala	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #4855       +/-   ##
===========================================
- Coverage   83.10%   36.00%   -47.11%     
===========================================
  Files         202      202               
  Lines        9811     9786       -25     
  Branches      426      409       -17     
===========================================
- Hits         8153     3523     -4630     
- Misses       1658     6263     +4605     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.