Skip to content
This repository was archived by the owner on Feb 6, 2026. It is now read-only.

Move encrypted secrets into LayerDB (ENG-2415)#3478

Merged
si-bors-ng[bot] merged 1 commit intomainfrom
nick/0c5604f
Mar 28, 2024
Merged

Move encrypted secrets into LayerDB (ENG-2415)#3478
si-bors-ng[bot] merged 1 commit intomainfrom
nick/0c5604f

Conversation

@nickgerace
Copy link
Copy Markdown
Contributor

@nickgerace nickgerace commented Mar 27, 2024
edited
Loading

Description

This PR moves encrypted secrets into LayerDB.

Before this PR, encrypted secrets were store on the existing PG table whose migration is from the old-engine. This table implemented standard model and was both tenancy-scoped and visibility-scoped. While referential secrets made it on the new-engine graph structure, their encrypted bits remained in the old table.

Now that LayerDB is in play, we are able to leverage it to get encrypted secrets working between change sets as well as to work with them faster than before.

Primary Changes

  • Add new LayerDB table for encrypted secrets
  • Generate keys for the table with the tenancy, SecretId, and a generated Ulid from the current change set
  • Concentrate secrets into two primary objects: Secret and EncryptedSecret (while retaining DecryptedSecret for sending information to cyclone and for testing)
    • Secret contains metadata for the secret as well as a key to the encrypted contents
    • EncryptedSecret contains the encrypted contents
  • Ensure that when encrypted contents are updated, we insert a new EncryptedSecret and update the key on the Secret
  • Split secrets functionality into separate private modules
  • Add integration test for updating both the metadata and the encrypted contents for a secret
  • Refactor secrets unit tests to be split across relevant modules and integration tests to match the new paradigm

Secondary Changes

  • Privatize the func::before module and export its core function and error type
  • Restore the qualification check in the before funcs test for added coverage
  • Remove unused identity func helper module
  • Add remain::sorted to LayeredEventKind

@github-actions github-actions bot added A-sdf Area: Primary backend API service [Rust] A-dal A-dal-test A-si-layer-cache labels Mar 27, 2024
@nickgerace nickgerace force-pushed the nick/0c5604f branch 3 times, most recently from b09dab5 to a060632 Compare March 28, 2024 19:33
@nickgerace nickgerace changed the title Move encrypted secrets into LayerDb Move encrypted secrets into LayerDB (ENG-2415) Mar 28, 2024
@nickgerace nickgerace force-pushed the nick/0c5604f branch 5 times, most recently from fdc6cd4 to e19c104 Compare March 28, 2024 20:59
@nickgerace nickgerace marked this pull request as ready for review March 28, 2024 21:02
@nickgerace
Copy link
Copy Markdown
Contributor Author

nickgerace commented Mar 28, 2024

bors merge

@si-bors-ng
Copy link
Copy Markdown
Contributor

si-bors-ng bot commented Mar 28, 2024

Merge conflict.

@nickgerace
Move encrypted secrets into LayerDB
b4e3c29 
This commit moves encrypted secrets into LayerDB. Before this commit,
encrypted secrets were store on the existing PG table whose migration is
from the "old-engine". This table implemented standard model and was
both tenancy and visibility scoped. While referential secrets made it on
the "new-engine" graph structure, their encrypted bits remained in the
old table. Now that LayerDB is in play, we are able to leverage it to
get encrypted secrets working between change sets as well as to work
with them faster than before.

Primary changes:
- Add new LayerDB table for encrypted secrets
- Generate keys for the table with the tenancy, SecretId, and a
  generated Ulid from the current change set
- Concentrate secrets into two primary objects: Secret and
  EncryptedSecret (while retaining DecryptedSecret for sending
  information to cyclone and for testing)
  - Secret contains metadata for the secret as well as a key to the
    encrypted contents
  - EncryptedSecret contains the encrypted contents
- Ensure that when encrypted contents are updated, we insert a new
  EncryptedSecret and update the key on the Secret
- Split secrets functionality into separate private modules
- Add integration test for updating both the metadata and the encrypted
  contents for a secret
- Refactor secrets unit tests to be split across relevant modules and
  integration tests to match the new paradigm

Secondary changes:
- Privatize the "func::before" module and export its core function and
  error type
- Restore the qualification check in the before funcs test for added
  coverage
- Remove unused identity func helper module
- Add "remain::sorted" to LayeredEventKind

Signed-off-by: Nick Gerace <nick@systeminit.com>
@nickgerace
Copy link
Copy Markdown
Contributor Author

nickgerace commented Mar 28, 2024

bors merge

@si-bors-ng
Copy link
Copy Markdown
Contributor

si-bors-ng bot commented Mar 28, 2024

Build succeeded:

@si-bors-ng si-bors-ng bot merged commit 65675d2 into main Mar 28, 2024
@si-bors-ng si-bors-ng bot deleted the nick/0c5604f branch March 28, 2024 23:41
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

A-buck2-resources A-bytes-lines-codec A-config-file A-council A-cyclone Area: Function execution engine [Rust] A-dal A-dal-test A-deadpool-cyclone Area: Pooling support for Cyclone instances [Rust] A-module-index A-nats-subscriber A-object-tree A-pinga A-rebaser A-sdf Area: Primary backend API service [Rust] A-si-data-nats A-si-data-pg A-si-layer-cache A-si-pkg A-si-posthog-rs A-si-settings Area: Backend service settings management [Rust] A-si-std A-si-test-macros A-telemetry-application-rs A-telemetry-rs A-veritech Area: Task execution backend service [Rust]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nickgerace