Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feat][io] Support configuration secret interpolation #20901

Merged
merged 7 commits into from
Aug 16, 2023
Merged

[feat][io] Support configuration secret interpolation #20901

merged 7 commits into from
Aug 16, 2023

Conversation

michaeljmarshall
Copy link
Member

@michaeljmarshall michaeljmarshall commented Jul 28, 2023
edited
Loading

PIP: #20903
Relates to: #20862

Motivation

The primary motivation is to make it possible to configure Pulsar Connectors in a secure, non-plaintext way. See the PIP for background and relevant details. The new interpolation feature only applies when deploying with functions to Kubernetes.

Modifications

  • Add SecretsProvider#interpolateSecretForValue method with a default that maintains the current behavior.
  • Override interpolateSecretForValue in the EnvironmentBasedSecretsProvider so that configuration values formatted as ${my-env-var} will be replaced with the result of System.getEnv("my-env-var") if the result is not null.
  • Implement a recursive string interpolation method that will replace any configuration value that the interpolateSecretForValue implementation determines ought to be replaced.

Verifying this change

Tests are added/modified.

Documentation

  • doc-required

Matching PR in forked repository

PR in forked repository: michaeljmarshall#55

@michaeljmarshall michaeljmarshall added doc Your PR contains doc changes, no matter whether the changes are in markdown or code files. area/connector area/security type/PIP labels Jul 28, 2023
@michaeljmarshall michaeljmarshall added this to the 3.2.0 milestone Jul 28, 2023
@michaeljmarshall michaeljmarshall self-assigned this Jul 28, 2023
@github-actions github-actions bot added doc-required Your PR changes impact docs and you will update later. and removed type/PIP labels Jul 28, 2023
@michaeljmarshall michaeljmarshall removed the doc Your PR contains doc changes, no matter whether the changes are in markdown or code files. label Jul 28, 2023
This was referenced Jul 28, 2023
Merged
Closed
@michaeljmarshall michaeljmarshall marked this pull request as ready for review August 14, 2023 23:12
eolivelli
eolivelli approved these changes Aug 15, 2023
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@michaeljmarshall
Copy link
Member Author

/pulsarbot rerun-failure-checks

shibd
shibd approved these changes Aug 16, 2023
View reviewed changes
Copy link
Member

@shibd shibd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

...c/main/java/org/apache/pulsar/functions/secretsprovider/EnvironmentBasedSecretsProvider.java
@@ -33,4 +41,15 @@ public class EnvironmentBasedSecretsProvider implements SecretsProvider {
public String provideSecret(String secretName, Object pathToSecret) {
return System.getenv(secretName);
}

@Override
public String interpolateSecretForValue(String value) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better to add unit tests to the method separately.

@codecov-commenter
Copy link

Codecov Report

Merging #20901 (5e05025) into master (d6734b7) will increase coverage by 36.25%.
The diff coverage is 88.88%.

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #20901       +/-   ##
=============================================
+ Coverage     36.84%   73.10%   +36.25%     
- Complexity    12195    32255    +20060     
=============================================
  Files          1698     1875      +177     
  Lines        129852   139455     +9603     
  Branches      14161    15334     +1173     
=============================================
+ Hits          47843   101946    +54103     
+ Misses        75680    29448    -46232     
- Partials       6329     8061     +1732
Flag Coverage Δ
inttests 24.23% <0.00%> (+0.10%) ⬆️
systests 25.13% <14.81%> (+0.03%) ⬆️
unittests 72.40% <88.88%> (+40.34%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed Coverage Δ
...ulsar/functions/instance/JavaInstanceRunnable.java 71.85% <85.00%> (+9.98%) ⬆️
...cretsprovider/EnvironmentBasedSecretsProvider.java 100.00% <100.00%> (+100.00%) ⬆️
...sar/functions/secretsprovider/SecretsProvider.java 100.00% <100.00%> (ø)

... and 1435 files with indirect coverage changes

@michaeljmarshall michaeljmarshall merged commit bfde0de into apache:master Aug 16, 2023
44 of 45 checks passed
@michaeljmarshall michaeljmarshall deleted the interpolate-io-secrets branch August 16, 2023 14:20
michaeljmarshall added a commit to datastax/pulsar that referenced this pull request Aug 16, 2023
@michaeljmarshall
[feat][io] Support configuration secret interpolation (apache#20901)
e80cc1d 
PIP: apache#20903
Relates to: apache#20862

The primary motivation is to make it possible to configure Pulsar Connectors in a secure, non-plaintext way. See the PIP for background and relevant details. The new interpolation feature only applies when deploying with functions to Kubernetes.

* Add `SecretsProvider#interpolateSecretForValue` method with a default that maintains the current behavior.
* Override `interpolateSecretForValue` in the `EnvironmentBasedSecretsProvider` so that configuration values formatted as `${my-env-var}` will be replaced with the result of `System.getEnv("my-env-var")` if the result is not `null`.
* Implement a recursive string interpolation method that will replace any configuration value that the `interpolateSecretForValue` implementation determines ought to be replaced.

Tests are added/modified.

- [x] `doc-required`

PR in forked repository: michaeljmarshall#55

(cherry picked from commit bfde0de)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eolivelli eolivelli eolivelli approved these changes

@shibd shibd shibd approved these changes

@gaozhangmin gaozhangmin Awaiting requested review from gaozhangmin

@nicoloboschi nicoloboschi Awaiting requested review from nicoloboschi

@nlu90 nlu90 Awaiting requested review from nlu90

Assignees

@michaeljmarshall michaeljmarshall

Labels
area/connector area/security doc-required Your PR changes impact docs and you will update later.
Projects
None yet
Milestone
3.2.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@michaeljmarshall @codecov-commenter @eolivelli @shibd