-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User secrets drain #16454
User secrets drain #16454
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few tweaks to look at. I think there's scope on the apiserver side to reduce duplicate logic by putting stuff in common? Also the logic around checking owners was done for apps and units and needs a little tweaking for model owners.
Could you also QA draining of app/unit secrets to be sure there's no accidental breakage there.
@@ -238,6 +238,8 @@ func backendConfigInfo( | |||
// Granted secrets can be consumed in application level for all units. | |||
readFilter.ConsumerTags = append(readFilter.ConsumerTags, authApp) | |||
case names.ApplicationTag: | |||
case names.ModelTag: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment at the top of the switch needs updating
// Find secrets owned by the application that should be readable for non leader units.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the comment is still accurate because the code here is finding extra filter for leader units.
filter func(*coresecrets.SecretMetadata, *coresecrets.SecretRevisionMetadata) bool, | ||
) (params.ListSecretResults, error) { | ||
var result params.ListSecretResults | ||
listFilter := state.SecretsFilter{ | ||
// TODO: there is a bug that operator agents can't get any unit owned secrets! | ||
// Because the authTag here is the application tag, but not unit tag. | ||
OwnerTags: []names.Tag{authTag}, | ||
// Because the ownerTag here is the application tag, but not unit tag. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It could be the model tag for user secrets. These comments and the logic need tweaking. eg if owner tag is a model tag, no need to do the isLeaderUnit check below etc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IsLeaderUnit handles this correctly. It returns false if the tag is not a unit tag.
But I can do one more check here.
} | ||
|
||
// GetSecretBackendConfigs gets the config needed to create a client to secret backends. | ||
func (s *SecretsDrainAPI) GetSecretBackendConfigs(arg params.SecretBackendArgs) (params.SecretBackendConfigResults, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these methods be in apiserver/common/secrets
... the code looks duplicated from the secretsmanager facade?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nah, they are very different. This one is a much simpler version of the facade for agents.
Because the agent facade supports calling by owners and consumers(event CMR), getting secrets by labels, also --peek, --refresh, etc.
if !context.Auth().AuthController() { | ||
return nil, apiservererrors.ErrPerm | ||
} | ||
leadershipChecker, err := context.LeadershipChecker() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need leadership checks for user secrets?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need for the user secrets stuff, but the shared code in the common package needs them.
/merge |
// Source: github.com/juju/juju/apiserver/facade (interfaces: Context,Authorizer) | ||
|
||
// Package mocks is a generated GoMock package. | ||
package mocks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't really need mocks sub-packages. They were only ever introduced to get around circular dependencies due in part to having separate {package} and {package}_test packages. Just stick it in package_mock_test.go
|
||
// SecretsDrainAPI is the implementation for the SecretsDrain facade. | ||
type SecretsDrainAPI struct { | ||
*commonsecrets.SecretsDrainAPI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't want to embed APIs any more. It makes versioning of embedding APIs cumbersome. Make it a member and call through to it.
#16470 Merge branch `3.3` into `main`: - #16426 - #16435 - #16445 - #16452 - #16451 - #16453 - #16455 - #16456 - #16457 - #16460 - #16461 - #16454 - #16394 - #16469 ``` # Conflicts: # apiserver/common/secrets/access.go # apiserver/common/secrets/access_test.go # apiserver/common/secrets/drain.go # apiserver/common/secrets/drain_test.go # apiserver/common/secrets/mocks/commonsecrets_mock.go # apiserver/common/secrets/watcher.go # apiserver/common/secrets/watcher_test.go # apiserver/facades/agent/provisioner/imagemetadata_test.go # apiserver/facades/agent/secretsdrain/mocks/modelstate.go # apiserver/facades/agent/secretsdrain/mocks/secretsprovider.go # apiserver/facades/agent/secretsdrain/package_test.go # apiserver/facades/agent/secretsdrain/register.go # apiserver/facades/agent/secretsdrain/state.go # cmd/jujud/agent/caasoperator/manifolds.go # environs/bootstrap/bootstrap.go # environs/simplestreams/datasource.go # environs/simplestreams/datasource_test.go # go.sum # worker/dbaccessor/package_test.go # worker/firewaller/firewaller_test.go # worker/modelcache/worker_test.go # worker/secretsdrainworker/manifold.go # worker/secretsdrainworker/manifold_test.go # worker/secretsdrainworker/package_test.go # worker/uniter/charm/bundles_test.go # worker/uniter/uniter_test.go # worker/uniter/util_test.go ```
This PR enables drain feature for user secrets.
Checklist
Integration tests, with comments saying what you're testingQA steps
K8s Controller
IaaS controller
charm owned secrets
Documentation changes
No
Links
Jira card: JUJU-4401