chore: improve secretmanager on edge case handling #3274
Conversation
yuwenma
force-pushed
the
secret-version
branch
from
5af3051 to
374ea58
Compare
| @@ -19,14 +20,13 @@ spec: | |||
| userManaged: | |||
| replicas: | |||
| - location: us-central1 | |||
| resourceID: secretmanagersecret-${uniqueId} | |||
There was a problem hiding this comment.
TF always add the spec.resourceID even if state-into-spec: absent
| "label-one": "value-one", | ||
| "cnrm-test": "true", |
There was a problem hiding this comment.
(regression?) TF-based uses metadata.labels + managed-by-cnrm - system labels , the direct uses spec.labels + managed-by-cnrm.
There was a problem hiding this comment.
I think that's a behavioural change. It agree with the direction, but I think it needs a design as it's a big topic.
| @@ -3,17 +3,20 @@ kind: SecretManagerSecretVersion | |||
| metadata: | |||
| annotations: | |||
| cnrm.cloud.google.com/management-conflict-prevention-policy: none | |||
| cnrm.cloud.google.com/observed-secret-versions: (removed) | |||
There was a problem hiding this comment.
This is a legacy annotation. The TF-based approach builds a mechanism around this annotation to determine if a sensitive data is changed.
| labels: | ||
| cnrm-test: "true" | ||
| name: secretmanagersecretversion-${uniqueId} | ||
| namespace: ${uniqueId} | ||
| spec: | ||
| enabled: false | ||
| resourceID: "1" |
There was a problem hiding this comment.
secret version is a service-genereated-ID resource, that TF_based always write back to spec.resourceID. In the direct approach, we use status.externalRef instead.
There was a problem hiding this comment.
I think that's technically a regression, but I think it's a minor one. So I think if we add this to the release notes (which you can do in this PR if we have a release note file on the go) then I think that's reasonable.
There was a problem hiding this comment.
Besides the basic test suite, I also added full test suite, where the TF-based controller cannot reconcile correctly because it assume a mutable field is immutable.
Here's the error, and here's the tracking issue with more details.
yuwenma
force-pushed
the
secret-version
branch
from
91a7af6 to
c871e6a
Compare
| actualExternalRef, _, err2 = unstructured.NestedString(u.Object, "status", "name") | ||
| if err2 != nil { | ||
| err2 = fmt.Errorf("SecretManagerSecret `status.name` not configured: %w", err2) | ||
| return "", fmt.Errorf("%w\n%w", err1, err2) |
There was a problem hiding this comment.
Nit: I think errors.Join is good here
| // | ||
| // Label keys must be between 1 and 63 characters long, have a UTF-8 encoding | ||
| // of maximum 128 bytes, and must conform to the following PCRE regular | ||
| // expression: `[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}` |
There was a problem hiding this comment.
Is this regex from our proto? Can we express it in human?
| "label-one": "value-one", | ||
| "cnrm-test": "true", |
There was a problem hiding this comment.
I think that's a behavioural change. It agree with the direction, but I think it needs a design as it's a big topic.
| labels: | ||
| cnrm-test: "true" | ||
| name: secretmanagersecretversion-${uniqueId} | ||
| namespace: ${uniqueId} | ||
| spec: | ||
| enabled: false | ||
| resourceID: "1" |
There was a problem hiding this comment.
I think that's technically a regression, but I think it's a minor one. So I think if we add this to the release notes (which you can do in this PR if we have a release note file on the go) then I think that's reasonable.
| @@ -84,6 +84,22 @@ spec: | |||
| is scheduled to expire. This is always provided on output, regardless | |||
| of what was sent on input. | |||
| type: string | |||
| labels: | |||
There was a problem hiding this comment.
I think this is what needs a separate design, I'm afraid.
| resource := SecretManagerSecretSpec_ToProto(mapCtx, &desired.Spec) | ||
| if mapCtx.Err() != nil { | ||
| return mapCtx.Err() | ||
| } | ||
|
|
||
| resource.Annotations = ComputeAnnotations(desired) |
There was a problem hiding this comment.
Are we also dropping support for annotations? I think that should be mentioned in the labels design, but I don't think it is as tricky because it's not as widely used.
I'm not even sure if terraform maps metadata.annotations -> GCP annotations - does it?
| @@ -262,6 +239,10 @@ func (a *Adapter) Update(ctx context.Context, op *directbase.UpdateOperation) er | |||
| if mapCtx.Err() != nil { | |||
| return mapCtx.Err() | |||
| } | |||
| // Set externalRef. This field is empty after migration from the TF-based controller to the direct. | |||
There was a problem hiding this comment.
Can we still go back to the terraform controller after creating resources with the direction controller? i.e. does it matter if spec.resourceID is not set? (Is it always == metadata.name?)
There was a problem hiding this comment.
Secret is not service generated ID resource (SecretVersion does). So it can switch back to use the TF-based controller. The real problem on using the TF-based controller is that the Secret spec.rotation.rotationPeriod is broken. If user configures that fields in Direct and switched back to TF-based, it no longer works.
| @@ -164,6 +164,19 @@ func (a *SecretVersionAdapter) Create(ctx context.Context, createOp *directbase. | |||
| } | |||
| log.V(2).Info("successfully created SecretVersion", "name", a.id) | |||
|
|
|||
| // The default status for newly created resource is "enabled". | |||
There was a problem hiding this comment.
This is a bummer, but I verified that this is indeed the behaviour!
yuwenma
force-pushed
the
secret-version
branch
from
ab3567b to
bbb6602
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
google-oss-prow
bot
merged commit caaedb4
into
GoogleCloudPlatform:master
Change description
Fixes #
Tests you have done
make ready-prto ensure this PR is ready for review.