Add new secret types to Applications.Core/secretstores #7816
Conversation
lakshmimsft
force-pushed
the
lakshmimsft/secretStoresType
branch
from
4a6058a to
5f3023b
Compare
| @@ -106,6 +106,12 @@ func toSecretStoreDataTypeDataModel(src *SecretStoreDataType) datamodel.SecretTy | |||
| return datamodel.SecretTypeGeneric | |||
There was a problem hiding this comment.
lets add validations here during conversion if the required keys are present for the particular type. ex: "clientID" and "tenantID" keys should be present for type "azureWorkloadIdentity" type
There was a problem hiding this comment.
We discussed offline. Currently validations are included in
in line with other validations required for creating this resource. This function is accessed by controller here:radius/pkg/corerp/setup/setup.go
Line 172 in e577624
including @kachawla to confirm this is the right approach.
lakshmimsft
force-pushed
the
lakshmimsft/secretStoresType
branch
from
d1437c4 to
e577624
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7816 +/- ##
==========================================
- Coverage 61.08% 61.03% -0.05%
==========================================
Files 523 523
Lines 27474 27493 +19
==========================================
- Hits 16782 16781 -1
- Misses 9210 9226 +16
- Partials 1482 1486 +4 ☔ View full report in Codecov by Sentry. |
lakshmimsft
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
lakshmimsft
force-pushed
the
lakshmimsft/secretStoresType
branch
from
e577624 to
d3e04e8
Compare
lakshmimsft
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
| newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom) | ||
| newResource.Properties.Resource = "" | ||
| resp, err := ValidateAndMutateRequest(context.TODO(), newResource, oldResource, nil) | ||
| tests := []struct { |
lakshmimsft
force-pushed
the
lakshmimsft/secretStoresType
branch
from
d3e04e8 to
babef6d
Compare
lakshmimsft
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
pkg/corerp/datamodel/secretstore.go
Outdated
| // SecretTypeAzureWorkloadIdentity is the azureFederatedIdentity secret type. | ||
| SecretTypeAzureWorkloadIdentity SecretType = "azureWorkloadIdentity" |
There was a problem hiding this comment.
| // SecretTypeAzureWorkloadIdentity is the azureFederatedIdentity secret type. | |
| SecretTypeAzureWorkloadIdentity SecretType = "azureWorkloadIdentity" | |
| // SecretTypeAzureWorkloadIdentity is the azureWorkloadIdentity secret type. | |
| SecretTypeAzureWorkloadIdentity SecretType = "azureWorkloadIdentity" |
There was a problem hiding this comment.
nit: pkg/corerp/frontend/controller/secretstores/testdata/secretstores_datamodel_awsirsa.json
There was a problem hiding this comment.
nit: pkg/corerp/frontend/controller/secretstores/testdata/secretstores_datamodel_azwi.json
There was a problem hiding this comment.
nit: pkg/corerp/frontend/controller/secretstores/testdata/secretstores_datamodel_basicauth.json
There was a problem hiding this comment.
nit: pkg/corerp/frontend/controller/secretstores/testdata/secretstores_datamodel_basicauth_invalid.json
lakshmimsft
force-pushed
the
lakshmimsft/secretStoresType
branch
from
babef6d to
b5527f7
Compare
lakshmimsft
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
lakshmimsft
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
| @@ -79,7 +79,7 @@ model RecipeConfigProperties { | |||
| @doc("Configuration for Terraform Recipes. Controls how Terraform plans and applies templates as part of Recipe deployment.") | |||
| terraform?: TerraformConfigProperties; | |||
|
|
|||
| @doc("Environment variables injected during Terraform Recipe execution for the recipes in the environment.") | |||
| @doc("Environment variables injected during recipe execution for the recipes in the environment.") | |||
There was a problem hiding this comment.
@lakshmimsft what's causing this to change?
There was a problem hiding this comment.
Correcting the comment to indicate environment variables schema is part of RecipeConfigProperties and is not intended to be specific to Terraform execution.
There was a problem hiding this comment.
@lakshmimsft it is specific to Terraform though at this point. Unless we are actually injecting these env vars for non-Terraform recipes, we shouldn't indicate it is. As a user, I'd then set it assuming it works for bicep as well, which it doesn't.
There was a problem hiding this comment.
This was a question asked in a design meeting: radius-project/design-notes#53 (comment)
Perhaps the comment should be more clear, eg: Environment variables injected during recipe execution for the recipes in the environment, currently supported for Terraform recipes.
Updated in in #7867
| @doc("basicAuthentication type is used to represent username and password based authentication and the secretstore resource is expected to have the keys 'username' and 'password'.") | ||
| basicAuthentication, | ||
|
|
||
| @doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") |
There was a problem hiding this comment.
Do we need to call out "registry authentication" here? This resource is/can be referenced in multiple places with use cases being not limited to ACR. I'd also get PMs eyes on these user facing descriptions.
There was a problem hiding this comment.
cc @vishwahiremat, @Reshrahim . referring to link
There was a problem hiding this comment.
I agree with not specifying registry here as it can be referenced elsewhere as well.
| @doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") | |
| @doc("azureWorkloadIdentity type is used to represent authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") |
There was a problem hiding this comment.
| @doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") | |
| @doc("azureWorkloadIdentity type is used to represent authentication using azure workload identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") |
There was a problem hiding this comment.
I think it is referenced as Azure workload identity and not federated identity in the docs
There was a problem hiding this comment.
Thanks @Reshrahim. What are your thoughts on explicitly mentioned "registry" authentication? Secret store resource is not limited to supporting management of secrets only for the use case of registries.
There was a problem hiding this comment.
Yeah sorry din notice the comment above. I agree with your comment of calling it as authentication as the uses cases can be outside of registries
There was a problem hiding this comment.
Thanks for confirming @Reshrahim.
@vishwahiremat @lakshmimsft - could one of you please update this as per Reshma's feedback?
| @doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") | ||
| azureWorkloadIdentity, | ||
|
|
||
| @doc("awsIRSA type is used to represent registry authentication using AWS IRSA(IAM Roles for Service accounts) and the secretstore resource is expected to have the keys 'roleARN'.") |
There was a problem hiding this comment.
Same as above.
Couple of nits (can't add suggestions since the PR is merged):
- Missing space between
IRSAand( keyinstead ofkeys
| RequiredUsername = "username" | ||
| RequiredPassword = "password" | ||
| RequiredClientId = "clientId" | ||
| RequiredTenantId = "tenantId" | ||
| RequiredRoleARN = "roleARN" |
There was a problem hiding this comment.
The prefix Required is confusing, maybe I'm not following the thought process? They are the expected keys in the resource, so in general for such variables the convention is to add a key suffix, <key_name>Key, so it would be UsernameKey for example.
There was a problem hiding this comment.
updated in in #7867
| @@ -19,4 +19,11 @@ package secretstores | |||
| const ( | |||
| // ResourceTypeName is the resource type name for secret stores. | |||
| ResourceTypeName = "Applications.Core/secretStores" | |||
|
|
|||
| // The following are possible required keys in a SecretStore depending on it's SecretType | |||
There was a problem hiding this comment.
nit: let's not use different comment formats within the same file (example above for ResourceTypeName).
| @@ -75,8 +78,15 @@ func getOrDefaultEncoding(t datamodel.SecretType, e datamodel.SecretValueEncodin | |||
| return e, err | |||
| } | |||
|
|
|||
| // Define a map of required keys for each SecretType | |||
| var requiredKeys = map[datamodel.SecretType][]string{ | |||
There was a problem hiding this comment.
This seems to be only referenced from ValidateAndMutateRequest function so I'd assume it should be scoped to that. Could you tell me more about the motivation to define it here?
There was a problem hiding this comment.
moved into function: #7867
| case datamodel.SecretTypeBasicAuthentication: | ||
| return to.Ptr(SecretStoreDataTypeBasicAuthentication) | ||
| case datamodel.SecretTypeAzureWorkloadIdentity: | ||
| return to.Ptr(SecretStoreDataTypeAzureWorkloadIdentity) | ||
| case datamodel.SecretTypeAWSIRSA: | ||
| return to.Ptr(SecretStoreDataTypeAwsIRSA) |
There was a problem hiding this comment.
Should a unit test be added?
Description
Add new types to Applications.Core/secretstores (basicAuthentication, azureWorkloadIdentity, awsIRSA)
Update convertor, tests.
Update existing ValidateAndMutateRequest() in /pkg/corerp/frontend/controller/secretstores/kubernetes.go
to check if required secret keys exist for current secret type. Add to existing unit tests.
Type of change
Fixes: Part of #6917