feat(gcp): get latest enabled secret#5131
Conversation
|
This PR introduces an implicit behavior where ESO starts to get random versions based on GCP SM latest version. It was done like that by design to have an explicit control of versions via the I would like to discuss it on a community meeting before merging, as this will introduce major breaking changes to users on GCP SM (which is a provider graded as generally available). |
|
Plus, it also increases the permission scope needed for the provider (which is yet another breaking change). |
|
It is marked as stable. We cannot break it. Releasing this would require an entirely new version for GCM. |
|
AS discussed in the community meeting - This is fine to be implemented as long as we have a configuration flag on the SecretStore. This behavior then should only be triggered if the appropriate configuration is set on that SecretStore. Default behavior should be the current behavior so no breaking changes are introduced. |
Just added this configuration flag 💪🏻 |
240f381 to
1bf9714
Compare
| // GetLatestEnabledSecret if true, the latest enabled secret version will be fetched | ||
| // +optional | ||
| // +default=false | ||
| GetLatestEnabledSecret bool `json:"getLatestEnabledSecret,omitempty"` |
There was a problem hiding this comment.
I mean this is very specific behavior, but imo (and also kubernetes API conventions), bools are an antipattern in specs. https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#primitive-types
Think twice about bool fields. Many ideas start as boolean but eventually trend towards a small set of mutually exclusive options. Plan for future expansions by describing the policy options explicitly as a string type alias (e.g. TerminationMessagePolicy).
There was a problem hiding this comment.
What else would you suggest to use here to signify that we want to have a toggle to enable new behaviour vs old while the new behaviour actually has no effect API-wise?
There was a problem hiding this comment.
I guess my entire point is that the behavior is not a toggle but a behavior "policy", so we could change this to:
// SecretVersionSelectionPolicy specifies how the provider selects a secret version
// when "latest" is disabled or destroyed.
//
// +kubebuilder:validation:Enum=LatestOrFail;LatestOrFetch
// +default=LatestOrFail
type SecretVersionSelectionPolicy string
const (
// SecretVersionSelectionPolicyLatestOrFail means the provider always uses "latest", or fails if that version is disabled/destroyed.
SecretVersionSelectionPolicyLatestOrFail SecretVersionSelectionPolicy = "LatestOrFail"
// SecretVersionSelectionPolicyLatestOrFetch behaves like SecretVersionSelectionPolicyLatestOrFail but falls back to fetching the latest version if the version is DESTROYED or DISABLED
SecretVersionSelectionPolicyLatestOrFetch SecretVersionSelectionPolicy = "LatestOrFetch"
)
that way we can add other behaviors later if desired or we notice other behaviors we want to add.
But again, its very specific so I dont think this is a must have.
There was a problem hiding this comment.
Interesting. Hm, I like the simplicity of the bool, but I also like the policy. :D I leave it up to you @itaispiegel.
There was a problem hiding this comment.
I believe a Policy is indeed better here. Who knows when an user will want to always fetch the second-to-last-counting-backwards-valid secret? 😆
There was a problem hiding this comment.
:D Alright. Let's move with that then. :)
There was a problem hiding this comment.
I think it makes sense, so just updated the PR accordingly with the new field you suggested 😄
|
@itaispiegel do you mind incorporating the latest changes discussed in the maintainer review? Thanks so much! |
Sure thing! I haven’t had the chance to get to it yet, but I’ll aim to take care of it this week 🙏🏻 |
1e7346c to
650348f
Compare
|
Hi, I finally found some time to address the review 🙏🏻 |
|
Just run |
64765ae to
18f0d91
Compare
Oops, I didn't notice 😅 |
|
Damn, yeah. It's super hard to mock the iterator. What a nightmare. |
c1144d5 to
b1e2c72
Compare
|
@Skarlso @gusfcarvalho @jakobmoellerdev hey guys, what's required so we can merge this PR? 😄 |
|
@itaispiegel Ah sorry, did you do the thing then in the comment? All good, can we check again? :) |
Yes, I addressed the comment regarding the policy configuration field. The only thing I hadn't addressed is implementing unit tests. As I've explained in an earlier comment, this is a bit too complex at this stage, as Google doesn't provide a convenient method to mock the secret iterator. |
|
Thanks! Will take a look as soon as I can. :) |
|
/ok-to-test sha=b1e2c7268360a747529810e62006ff9201f379eb |
Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com>
Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com>
Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com>
Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com>
Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com>
Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com>
b1e2c72 to
7620565
Compare
|
@itaispiegel Ah, could you sign the commit please? Then I can approve and this is good to go. :) |
Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com>
0e53411 to
e9c0218
Compare
You're right, I forgot to sign the commit! |
|
* Get latest enabled secret Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> * Add a feature flag to control the new behavior Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> * Simplify conditions Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> * Replace boolean field with string field Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> * Add test for LatestOrFail policy Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> * Fix golangci Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> * Fix CI Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> * Fix metrics.ObserveAPICall Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> --------- Signed-off-by: Itai Spiegel <itai.spiegel@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
Problem Statement
When using External Secrets Operator (ESO) with Google Secret Manager (GSM), fetching a secret fails if the secret has multiple versions where the latest version is destroyed but an older version is still enabled.
Example: a secret has versions 1 (enabled) and 2 (destroyed). ESO appears to check both versions/latest and the latest active version; the call against versions/latest fails because that points to the destroyed v2, causing the whole fetch to fail even though v1 is valid.
Related Issue
Fixes #5129
Proposed Changes
Implement
GetSecretto fetch latest enabled secret, if the latest is destroyed or disabled.Checklist
git commit --signoffmake testmake reviewable(wasn't able to run this on my setup 😢)