-
Notifications
You must be signed in to change notification settings - Fork 113
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tracks Secrets in
__inputs
and lastAppliedConfig
In order to support tracking secretness that flows from inputs to outputs when using providers that do not understand secrets directly, the engine takes any input that is secret and if there is a coresponding output with the same name, marks it as a secret. This works in common cases, but does not work for Kubernetes for two key reasons: 1. The provider retains a copy of the inputs for a resource on an object called `__inputs` inside the state object. It uses this during Diff for reasons that are un-interesting to this PR. 2. The provider JSON stringifies the inputs and stores them as an annotation on the object iself, as `kubectl` would. These two decisions mean that if a secret value is used as an input to a k8s resource, we will persist the plaintext value in the state file, since the engine has no idea to look at `__inputs` or `lastAppliedConfig`. This change updates the provider to be able to handle secrets. The engine will now pass any secret inputs as strongly typed secrets. The provider will use this information to ensure that the relevent members in the `__inputs` bag are marked as secrets as well as ensuring that if there are any inputs that are secret, all of `lastAppliedConfig` (which is a stringified JSON object) is marked as a secret as well. An integration test confirms this behavior by stringifying the state and ensuring that our secret values do not end up in it (which will catch cases where we may copy this data to other places as well). Fixes #734
- Loading branch information
Showing
9 changed files
with
229 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
// Copyright 2016-2019, Pulumi Corporation. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package ints | ||
|
||
import ( | ||
b64 "encoding/base64" | ||
json "encoding/json" | ||
"os" | ||
"testing" | ||
|
||
"github.com/pulumi/pulumi/pkg/testing/integration" | ||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func TestSecrets(t *testing.T) { | ||
kubectx := os.Getenv("KUBERNETES_CONTEXT") | ||
|
||
if kubectx == "" { | ||
t.Skipf("Skipping test due to missing KUBERNETES_CONTEXT variable") | ||
} | ||
|
||
secretMessage := "secret message for testing" | ||
|
||
integration.ProgramTest(t, &integration.ProgramTestOptions{ | ||
Dir: "step1", | ||
Dependencies: []string{"@pulumi/kubernetes"}, | ||
Quick: true, | ||
Config: map[string]string{ | ||
"message": secretMessage, | ||
}, | ||
ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) { | ||
assert.NotNil(t, stackInfo.Deployment) | ||
state, err := json.Marshal(stackInfo.Deployment) | ||
assert.NoError(t, err) | ||
|
||
assert.NotContains(t, string(state), secretMessage) | ||
|
||
// The program converts the secret message to base64, to make a ConfigMap from it, so the state | ||
// should also not contain the base64 encoding of secret message. | ||
assert.NotContains(t, string(state), b64.StdEncoding.EncodeToString([]byte(secretMessage))) | ||
}, | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
name: provider | ||
description: Tests first-class provider support. | ||
runtime: nodejs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// Copyright 2016-2019, Pulumi Corporation. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
import * as pulumi from "@pulumi/pulumi"; | ||
import * as k8s from "@pulumi/kubernetes"; | ||
|
||
const pw = (new pulumi.Config()).requireSecret("message"); | ||
const cm = new k8s.core.v1.ConfigMap("cm", { | ||
binaryData: { | ||
password: pw.apply(d => new Buffer(d).toString("base64")), | ||
} | ||
}) | ||
|
||
export const bd = cm.binaryData; |
Oops, something went wrong.