-
Notifications
You must be signed in to change notification settings - Fork 494
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #14527 from wallyworld/secrets-api-store
#14527 Secret updates and removes were already batched on the hook content - now handle creates also. To support this a new CreateSecretURIs method is added which will generate the URIs to use and allow the secret-add command to print that URI for use in relation data etc by the hook. The main change is a refactor of the core secret apis (client, facade, persistence) to allow different secret content stores to be used. The only one supported at the moment is "juju", which store the secret content on mongo. The supported stores register themselves, and future PRs will have a model config to specify which store to use; the juju one is hard coded to be used. Secret metadata is all stored in juju. The service layer will look at whether an external store has been configured and use that to store the content, getting back an id specific to the provider. So what's passed to the juju backend as content is either the content itself or a provider id for the content. The same thing happens in reverse on the way out, but again for now, only content stored in juju is supported. The unit agent is the caller of the service layer. If an external store is configured, the content save and load is by the service layer, so it doesn't pass through the controller at all. All the controller sees is the provider id of the content. The CLI to show a secret with `--reveal` will at the moment require the controller to fetch the value from the external store. This may need to be revisited. Also driveby fix for intermittent state test failures in CI. ## Checklist - [X] Code style: imports ordered, good names, simple structure, etc - [X] Comments saying why design decisions were made - [X] Go unit tests, with comments saying what you're testing - ~[ ] [Integration tests](https://github.com/juju/juju/tree/develop/tests), with comments saying what you're testing~ - ~[ ] [doc.go](https://discourse.charmhub.io/t/readme-in-packages/451) added or updated in changed packages~ ## QA steps ``` juju deploy juju-qa-dummy-source juju deploy juju-qa-dummy-sink juju relate dummy-source dummy-sink juju exec --unit dummy-source/0 "secret-add foo=bar --label=baz" secret:cc65ugtak34ik8ngi7dg juju exec --unit dummy-source/0 "secret-get secret:cc65ugtak34ik8ngi7dg" foo: bar juju exec --unit dummy-source/0 "secret-grant secret:cc65ugtak34ik8ngi7dg -r 0 --unit dummy-sink/0" juju exec --unit dummy-sink/0 "secret-get secret:cc65ugtak34ik8ngi7dg" foo: bar juju exec --unit dummy-source/0 "secret-update secret:cc65ugtak34ik8ngi7dg foo=baz2" juju exec --unit dummy-source/0 "secret-get secret:cc65ugtak34ik8ngi7dg --metadata" cc65ugtak34ik8ngi7dg: revision: 2 label: baz rotation: never juju show-status-log dummy-sink/0 Time Type Status Message ... 29 Aug 2022 16:41:42+10:00 juju-unit idle 29 Aug 2022 16:42:02+10:00 juju-unit executing running secret-changed hook for secret:cc65ugtak34ik8ngi7dg 29 Aug 2022 16:52:50+10:00 juju-unit idle juju exec --unit dummy-sink/0 "secret-get secret:cc65ugtak34ik8ngi7dg --peek" foo: baz2 juju exec --unit dummy-sink/0 "secret-get secret:cc65ugtak34ik8ngi7dg" foo: bar juju exec --unit dummy-sink/0 "secret-get secret:cc65ugtak34ik8ngi7dg --update" foo: baz2 juju exec --unit dummy-sink/0 "secret-get secret:cc65ugtak34ik8ngi7dg" foo: baz2 ```
- Loading branch information
Showing
69 changed files
with
1,367 additions
and
1,354 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.