-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve secrets in ERB strings #30228
Conversation
Allow keys such as dashboard_db_reader to depend on db_reader secret.
add test_erb_string_secret
Codecov Report
@@ Coverage Diff @@
## staging #30228 +/- ##
==========================================
Coverage ? 76.52%
==========================================
Files ? 677
Lines ? 27679
Branches ? 0
==========================================
Hits ? 21181
Misses ? 6498
Partials ? 0
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
This change explicitly only allows interpolation of config values if those values come from secrets, is that right?
-
We should take a minute to discuss possible alternatives, since the more features we add the more complex our mini config language is going to get. What if instead we had these as methods on the CDO object, similar to
dashboard_hostname
?Line 74 in 161ab00
def dashboard_hostname
I believe this change (basically a bug-fix) is much more narrowly scoped compared to any of the alternatives I considered.
Prior to this change, references to
Adding global CDO methods to resolve values referencing Secrets would mean two ways to reference a config value (ERB or CDO method), depending on whether the value to be referenced is defined as (or might possibly be overridden to be) a Secret. I think this would be more complicated to work with than the change in this PR. A possibly simpler alternative would be to replace all ERB tags in the config with global CDO methods (get rid of the ERB layer entirely), but that would be an even more challenging task. More generally, I've been trying to eliminate/refactor all of the legacy global methods in the CDO config for a few reasons:
|
Happy to followup on any remaining design questions, but I'm going to merge this PR now to fix the specific issue and unblock ongoing work. |
Allow configuration values to depend on secrets within interpolated strings (such as
db_reader: !Secret
referenced withindashboard_db_reader: '<%="#{db_reader}#{dashboard_db_name}"%>'
.For the implementation, I've added an internal string representation of the secret as
${secretkey}
, which is matched in thelazy_load_secrets!
method enhanced to regex-replace (gsub
) all secrets found within string values.Added a test (
test_erb_string_secret
) to verify the new functionality, and I also added some extra coverage around json secrets (test_json_secret
) and fixed a related bug in how json secrets get passed through the system.