User secrets drain #16454
User secrets drain #16454
Conversation
There was a problem hiding this comment.
A few tweaks to look at. I think there's scope on the apiserver side to reduce duplicate logic by putting stuff in common? Also the logic around checking owners was done for apps and units and needs a little tweaking for model owners.
Could you also QA draining of app/unit secrets to be sure there's no accidental breakage there.
| @@ -238,6 +238,8 @@ func backendConfigInfo( | |||
| // Granted secrets can be consumed in application level for all units. | |||
| readFilter.ConsumerTags = append(readFilter.ConsumerTags, authApp) | |||
| case names.ApplicationTag: | |||
| case names.ModelTag: | |||
There was a problem hiding this comment.
Comment at the top of the switch needs updating
// Find secrets owned by the application that should be readable for non leader units.
There was a problem hiding this comment.
I think the comment is still accurate because the code here is finding extra filter for leader units.
| filter func(*coresecrets.SecretMetadata, *coresecrets.SecretRevisionMetadata) bool, | ||
| ) (params.ListSecretResults, error) { | ||
| var result params.ListSecretResults | ||
| listFilter := state.SecretsFilter{ | ||
| // TODO: there is a bug that operator agents can't get any unit owned secrets! | ||
| // Because the authTag here is the application tag, but not unit tag. | ||
| OwnerTags: []names.Tag{authTag}, | ||
| // Because the ownerTag here is the application tag, but not unit tag. |
There was a problem hiding this comment.
It could be the model tag for user secrets. These comments and the logic need tweaking. eg if owner tag is a model tag, no need to do the isLeaderUnit check below etc
There was a problem hiding this comment.
IsLeaderUnit handles this correctly. It returns false if the tag is not a unit tag.
But I can do one more check here.
| } | ||
|
|
||
| // GetSecretBackendConfigs gets the config needed to create a client to secret backends. | ||
| func (s *SecretsDrainAPI) GetSecretBackendConfigs(arg params.SecretBackendArgs) (params.SecretBackendConfigResults, error) { |
There was a problem hiding this comment.
Should these methods be in apiserver/common/secrets ... the code looks duplicated from the secretsmanager facade?
There was a problem hiding this comment.
Nah, they are very different. This one is a much simpler version of the facade for agents.
Because the agent facade supports calling by owners and consumers(event CMR), getting secrets by labels, also --peek, --refresh, etc.
| if !context.Auth().AuthController() { | ||
| return nil, apiservererrors.ErrPerm | ||
| } | ||
| leadershipChecker, err := context.LeadershipChecker() |
There was a problem hiding this comment.
Do we need leadership checks for user secrets?
There was a problem hiding this comment.
No need for the user secrets stuff, but the shared code in the common package needs them.
|
/merge |
| // Source: github.com/juju/juju/apiserver/facade (interfaces: Context,Authorizer) | ||
|
|
||
| // Package mocks is a generated GoMock package. | ||
| package mocks |
There was a problem hiding this comment.
We don't really need mocks sub-packages. They were only ever introduced to get around circular dependencies due in part to having separate {package} and {package}_test packages. Just stick it in package_mock_test.go
|
|
||
| // SecretsDrainAPI is the implementation for the SecretsDrain facade. | ||
| type SecretsDrainAPI struct { | ||
| *commonsecrets.SecretsDrainAPI |
There was a problem hiding this comment.
We don't want to embed APIs any more. It makes versioning of embedding APIs cumbersome. Make it a member and call through to it.
#16470 Merge branch `3.3` into `main`: - #16426 - #16435 - #16445 - #16452 - #16451 - #16453 - #16455 - #16456 - #16457 - #16460 - #16461 - #16454 - #16394 - #16469 ``` # Conflicts: # apiserver/common/secrets/access.go # apiserver/common/secrets/access_test.go # apiserver/common/secrets/drain.go # apiserver/common/secrets/drain_test.go # apiserver/common/secrets/mocks/commonsecrets_mock.go # apiserver/common/secrets/watcher.go # apiserver/common/secrets/watcher_test.go # apiserver/facades/agent/provisioner/imagemetadata_test.go # apiserver/facades/agent/secretsdrain/mocks/modelstate.go # apiserver/facades/agent/secretsdrain/mocks/secretsprovider.go # apiserver/facades/agent/secretsdrain/package_test.go # apiserver/facades/agent/secretsdrain/register.go # apiserver/facades/agent/secretsdrain/state.go # cmd/jujud/agent/caasoperator/manifolds.go # environs/bootstrap/bootstrap.go # environs/simplestreams/datasource.go # environs/simplestreams/datasource_test.go # go.sum # worker/dbaccessor/package_test.go # worker/firewaller/firewaller_test.go # worker/modelcache/worker_test.go # worker/secretsdrainworker/manifold.go # worker/secretsdrainworker/manifold_test.go # worker/secretsdrainworker/package_test.go # worker/uniter/charm/bundles_test.go # worker/uniter/uniter_test.go # worker/uniter/util_test.go ```
This PR enables drain feature for user secrets.
Checklist
Integration tests, with comments saying what you're testingQA steps
K8s Controller
IaaS controller
charm owned secrets
Documentation changes
No
Links
Jira card: JUJU-4401