-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: add support for secrets in manifests #307
Conversation
8d8b9c6
to
0fd10a5
Compare
14229b6
to
157ffca
Compare
4f00914
to
6039d41
Compare
da265d7
to
f174e4c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One or two nits, and a bigger request around backwards compatible manifests. I found myself wondering if we needed a SecretScaler at all given that it's just a wrapper around configuration, but I think the separation is worth it at the very least for clarity and also for the future where we may do more complex things in response to a secret.
crates/wadm-types/src/lib.rs
Outdated
#[serde(default, skip_serializing_if = "Vec::is_empty")] | ||
pub source_config: Vec<ConfigProperty>, | ||
pub source: Option<ConfigDefinition>, | ||
/// Configuration to apply to the target of the link | ||
#[serde(default, skip_serializing_if = "Vec::is_empty")] | ||
pub target_config: Vec<ConfigProperty>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be great to support the source_config
and target_config
properties here in order to support the current manifest format in a backwards-compatible deprecated way, e.g. if source_config
is supplied but source
is not, we fill in the source
property at deserialization time. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Went ahead and updated the code so that both source_config
and target_config
transformed into the new representation. We'll have to figure out how to prepare to remove them entirely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@protochron and I have discussed the issue I brought up and decided that it would be best to transform manifests of the "old" source/target config format to the new automatically using wash
. I think it would be nice to return a good error instead of a failed deserialization error / failed validation error if possible, in the case where folks are using the Wadm API directly instead of using wash (e.g. the operator, right?)
Let's see if we can use a wash plugin for the translation
440bbf4
to
a7684ff
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR largely looks really nice. Huge amount of changes, thanks for dealing with the copy/paste. Just a few requests, at least half are to remove comments/printlns
84c54ab
to
aa71746
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Just a test failing it seems
aa71746
to
91ce72d
Compare
This adds support for secrets in wasmCloud application manifests. The secrets themselves are actually _secret references_ as outlined in wasmCloud/wasmCloud#2190. Just like config, secrets can be specified at the component or provider level or on a link. Secret references themselves are actually implemented as an additional kind of config stored in the same config data bucket. However, I opted to implement a dedicated scaler for secrets that is largely a clone of the existing ConfigScaler since the underlying data type is very different than the arbitrary set of key/value pairs we use for config. An example of what this looks like in a component is shown below: ```yaml spec: components: - name: http-component type: component properties: image: ghcr.io/wasmcloud/test-fetch-with-token:0.1.0-fake secrets: - name: some-api-token source: backend: nats-kv key: test-value version: 1 - name: my-other-secret source: backend: aws-secrets-manager value: secret-name version: "be01a5fb-7ebb-4ae9-8ea0-0902e8940bc0" ``` This contains a breaking change to the way that we specify config on links: ```yaml - type: link properties: namespace: wasmcloud package: postgres interfaces: [managed-query] target: name: sql-postgres secrets: - name: db-password source: backend: nats-kv key: myapp_db-password version: 1 ``` Instead of using `target_config` and `source_config`, this renames them to `target` and `source` respectively and adds keys for `config` and `secrets`. The name of the target is now now a key at the top level of the `target` block, as seen above. Signed-off-by: Dan Norris <protochron@users.noreply.github.com>
91ce72d
to
ca0028a
Compare
In wasmCloud#307 we introduced secrets support, which works by storing secrets references as config in NATS KV. This fixes a bug in the way that we were serializing the configuration as JSON where we were overwriting the policy field which is required.
In wasmCloud#307 we introduced secrets support, which works by storing secrets references as config in NATS KV. This fixes a bug in the way that we were serializing the configuration as JSON where we were overwriting the policy field which is required. Signed-off-by: Dan Norris <protochron@users.noreply.github.com>
In wasmCloud#307 we introduced secrets support, which works by storing secrets references as config in NATS KV. This fixes a bug in the way that we were serializing the configuration as JSON where we were overwriting the policy field which is required. Signed-off-by: Dan Norris <protochron@users.noreply.github.com>
In wasmCloud#307 we introduced secrets support, which works by storing secrets references as config in NATS KV. This fixes a bug in the way that we were serializing the configuration as JSON where we were overwriting the policy field which is required. Signed-off-by: Dan Norris <protochron@users.noreply.github.com>
In #307 we introduced secrets support, which works by storing secrets references as config in NATS KV. This fixes a bug in the way that we were serializing the configuration as JSON where we were overwriting the policy field which is required. Signed-off-by: Dan Norris <protochron@users.noreply.github.com>
Feature or Problem
This adds support for secrets in wasmCloud application manifests. The
secrets themselves are actually secret references as outlined in
wasmCloud/wasmCloud#2190. Just like config, secrets can be specified at
the component or provider level or on a link.
Secret references themselves are actually implemented as an additional
kind of config stored in the same config data bucket. However, I opted
to implement a dedicated scaler for secrets that is largely a clone of
the existing ConfigScaler since the underlying data type is very
different than the arbitrary set of key/value pairs we use for config.
An example of what this looks like in a component is shown below:
This contains a breaking change to the way that we specify config on
links:
Instead of using
target_config
andsource_config
, this renames themto
target
andsource
respectively and adds keys forconfig
andsecrets
. The name of the target is now a key at the toplevel of the
target
block, as seen above.Related Issues
Release Information
Consumer Impact
Testing
Unit Test(s)
Acceptance or Integration
Manual Verification