Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JUJU-1684] Commit secret updates, deletes, access changes at end of hook execution #14500

Merged
merged 1 commit into from Aug 24, 2022
Merged

[JUJU-1684] Commit secret updates, deletes, access changes at end of hook execution #14500

merged 1 commit into from Aug 24, 2022

Conversation

wallyworld
Copy link
Member

Secret updates, deletes, access changes are cached on the hook context and committed when the hook has finished running.
Creates still need to happen immediately since the returned URI is needed for subsequent operations.

Also fix some unit agent context API calls to use a secret uri not a string.

Checklist

  • Code style: imports ordered, good names, simple structure, etc
  • Comments saying why design decisions were made
  • Go unit tests, with comments saying what you're testing
  • [ ] Integration tests, with comments saying what you're testing
  • [ ] doc.go added or updated in changed packages

QA steps

juju deploy juju-qa-dummy-source
Located charm "juju-qa-dummy-source" in charm-hub, revision 6
Deploying "juju-qa-dummy-source" from charm-hub charm "juju-qa-dummy-source", revision 6 in channel stable on jammy
juju deploy juju-qa-dummy-sink -n 2
Located charm "juju-qa-dummy-sink" in charm-hub, revision 7
Deploying "juju-qa-dummy-sink" from charm-hub charm "juju-qa-dummy-sink", revision 7 in channel stable on jammy

juju exec --unit dummy-source/0 "secret-add foo=bar --label=baz"
secret:cc1h4l2ov0ni3c50g0qg
juju exec --unit dummy-source/0 "secret-ids"
secret:cc1h4l2ov0ni3c50g0qg: baz
juju exec --unit dummy-source/0 "secret-get secret:cc1h4l2ov0ni3c50g0qg"
foo: bar

juju exec --unit dummy-source/0 "secret-update secret:cc1h4l2ov0ni3c50g0qg foo=bar3"
juju exec --unit dummy-source/0 "secret-get secret:cc1h4l2ov0ni3c50g0qg"
foo: bar
juju exec --unit dummy-source/0 "secret-get secret:cc1h4l2ov0ni3c50g0qg --update"
foo: bar3

juju relate dummy-sink dummy-source
juju exec --unit dummy-source/0 "secret-grant secret:cc1h4l2ov0ni3c50g0qg -r 0 --unit dummy-sink/0"
juju exec --unit dummy-sink/0 "secret-get secret:cc1h4l2ov0ni3c50g0qg"
foo: bar3

juju exec --unit dummy-source/0 "secret-revoke secret:cc1h4l2ov0ni3c50g0qg -r 0 --unit dummy-sink/0"
juju exec --unit dummy-sink/0 "secret-get secret:cc1h4l2ov0ni3c50g0qg"
ERROR permission denied

@wallyworld wallyworld force-pushed the batch-secret-updates branch 4 times, most recently from e01db67 to 22dc1c1 Compare August 23, 2022 22:29
hpidcock
hpidcock approved these changes Aug 24, 2022
View reviewed changes
apiserver/facades/agent/uniter/uniter.go
@@ -2718,6 +2720,43 @@ func (u *UniterAPI) commitHookChangesForOneUnit(unitTag names.UnitTag, changes p
modelOps = append(modelOps, modelOp)
}

if len(changes.SecretDeletes) > 0 {
result, err := u.SecretsManagerAPI.RemoveSecrets(params.SecretURIArgs{Args: changes.SecretDeletes})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

obviously would be great to get these into the txn

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah. we're getting into 2 phase commit territory if the backend is not juju etc.
i'd like to come back to this when the design has evolved a bit, will leave a todo

worker/uniter/runner/context/contextfactory.go Show resolved Hide resolved
@wallyworld
Copy link
Member Author

/merge

@wallyworld
Copy link
Member Author

/merge

@wallyworld
Copy link
Member Author

/merge

@wallyworld
Copy link
Member Author

/merge

@wallyworld wallyworld changed the title Commit secret updates, deletes, access changes at end of hook execution [JUJU-1684] Commit secret updates, deletes, access changes at end of hook execution Aug 24, 2022
@wallyworld
Copy link
Member Author

/merge

@jujubot jujubot merged commit af9f362 into juju:develop Aug 24, 2022
@manadart manadart mentioned this pull request Sep 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hpidcock hpidcock hpidcock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@wallyworld @hpidcock @jujubot