Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets: change Keeper schema to treat updates as PUT operation #98325

Merged
merged 4 commits into from
Jan 2, 2025
Merged

Secrets: change Keeper schema to treat updates as PUT operation #98325

merged 4 commits into from
Jan 2, 2025
+72 −29

Conversation

macabu
Copy link
Contributor

@macabu macabu commented Dec 20, 2024
edited
Loading

We have the following yaml, which we use to create a new Keeper.

apiVersion: secret.grafana.app/v0alpha1
kind: Keeper
metadata:
  name: aws-xyz
spec:
  title: AWS XYZ value
  aws:
    accessKeyId: 
      valueFromEnv: ACCESS_KEY_ID_XYZ
    secretAccessKey:
      valueFromEnv: SECRET_ACCESS_KEY_XYZ

If we try to update this keeper, by changing it from aws to gcp for example:

apiVersion: secret.grafana.app/v0alpha1
kind: Keeper
metadata:
  name: aws-xyz
spec:
  title: AWS XYZ value
  gcp:
    projectId: project-id 
    credentialsFile: /path/to/file.json

This would fail. By default Kubernetes will try to merge fields on an UPDATE, which means the final spec would both have aws and gcp.

And that's the main change of this PR, which alters the strategy used when patching (updating) Keepers. Instead of merging, we will replace the whole spec.

There's a trade-off. While we gain flexibility by being able to completely change all fields of the spec, we aren't able to issue partial updates (patches) anymore.

If after creating the initial keeper, we tried to update its title:

apiVersion: secret.grafana.app/v0alpha1
kind: Keeper
metadata:
  name: aws-xyz
spec:
  title: My New Title

This would not work, because the validation would be missing a keeper configuration, since that's replace.

While before the change, it would use the aws field from the old object, and the title from the new, merging them.

I think that for now keeping the updates working as a PUT verb rather than PATCH is easier to reason about, but we can discuss it if needed.

Reference material I used:

@macabu macabu added no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes labels Dec 20, 2024
@macabu macabu marked this pull request as ready for review December 20, 2024 15:21
@macabu macabu requested a review from a team as a code owner December 20, 2024 15:21
@macabu macabu force-pushed the macabu/secrets-minor-schema-fixes-update branch from 013b025 to 7b665dd Compare January 2, 2025 10:16
@macabu macabu force-pushed the macabu/secrets-minor-schema-fixes-update branch from 7b665dd to 5b87754 Compare January 2, 2025 10:19
@macabu macabu force-pushed the macabu/secrets-minor-schema-fixes-update branch from 5b87754 to 29c36f0 Compare January 2, 2025 10:21
dana-axinte
dana-axinte approved these changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@dana-axinte dana-axinte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥

@macabu macabu merged commit 5362f12 into secret-service/feature-branch Jan 2, 2025
9 of 10 checks passed
@macabu macabu deleted the macabu/secrets-minor-schema-fixes-update branch January 2, 2025 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dana-axinte dana-axinte dana-axinte approved these changes

@PoorlyDefinedBehaviour PoorlyDefinedBehaviour PoorlyDefinedBehaviour approved these changes

Assignees
No one assigned
Labels
area/backend no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@macabu @PoorlyDefinedBehaviour @dana-axinte