Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: refactor secret service and secret backend service to use the new atomic run #18106

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

feat: refactor secret service and secret backend service to use the new atomic run #18106

wants to merge 15 commits into from

Conversation

ycliuhw
Copy link
Member

@ycliuhw ycliuhw commented Sep 17, 2024
edited by jira bot
Loading

This PR refactored secret and secretbackend domain packages to run state calls in the same transaction using the new atomic run.
No feature changes.

Checklist

  • Code style: imports ordered, good names, simple structure, etc
  • Comments saying why design decisions were made
  • Go unit tests, with comments saying what you're testing
  • Integration tests, with comments saying what you're testing
  • doc.go added or updated in changed packages

QA steps

unit tests and bash tests.

go test -race -v ./domain/secret/... -test.timeout=600s -check.v

go test -race -v ./domain/secretbackend/... -test.timeout=600s -check.v

bash -ex ./main.sh -v -c aws -p ec2 -x output.txt -s '""' secrets_iaas test_secrets_vault

bash -ex ./main.sh -v -c microk8s -p k8s -x output.txt -s '""' secrets_k8s test_user_secrets

Documentation changes

No

Links

Jira card: JUJU-6268

@ycliuhw ycliuhw added do not merge Even if a PR has been approved, do not merge the PR! 4.0 labels Sep 17, 2024
@ycliuhw ycliuhw changed the title Refactor secret service atomic feat: refactor secret service and secret backend service to use the new atomic run Sep 17, 2024
@ycliuhw ycliuhw removed the do not merge Even if a PR has been approved, do not merge the PR! label Sep 18, 2024
@ycliuhw ycliuhw marked this pull request as ready for review September 18, 2024 07:36
@ycliuhw ycliuhw force-pushed the refactor-secret-service-atomic branch from 8ae4db2 to c6bdbf0 Compare September 18, 2024 23:07
wallyworld
wallyworld requested changes Sep 19, 2024
View reviewed changes
Copy link
Member

@wallyworld wallyworld left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permission checks can't be done inside the txn; to clarify - the calls to check leadership must be done outside the txn. The rest of the db lookups can occur inside the txn.

domain/secret/service/access.go Outdated Show resolved Hide resolved
domain/secret/service/service_test.go Outdated Show resolved Hide resolved
domain/secretbackend/state/package_test.go Outdated Show resolved Hide resolved
domain/secret/service/consume.go Outdated Show resolved Hide resolved
domain/secret/service/service.go Outdated Show resolved Hide resolved
@ycliuhw ycliuhw force-pushed the refactor-secret-service-atomic branch from 18f6983 to 358ba9d Compare September 19, 2024 07:00
wallyworld
wallyworld reviewed Sep 23, 2024
View reviewed changes
Copy link
Member

@wallyworld wallyworld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few questions to discuss.

domain/secret/service/access.go Outdated Show resolved Hide resolved
domain/secret/service/exportimport.go Outdated Show resolved Hide resolved
domain/secret/service/exportimport.go Outdated Show resolved Hide resolved
domain/secret/service/service.go Outdated Show resolved Hide resolved
domain/secret/service/service.go Show resolved Hide resolved
domain/secret/service/service.go Outdated Show resolved Hide resolved
domain/secretbackend/state/state_test.go Outdated Show resolved Hide resolved
domain/secretbackend/state/package_test.go Outdated Show resolved Hide resolved
wallyworld
wallyworld reviewed Sep 25, 2024
View reviewed changes
Copy link
Member

@wallyworld wallyworld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for progress. Couple of additional comments.

domain/secretbackend/state/package_test.go Outdated Show resolved Hide resolved
domain/secretbackend/service/modelsecretbackendservice.go Outdated Show resolved Hide resolved
domain/secret/types.go Outdated Show resolved Hide resolved
domain/secret/service/exportimport.go Outdated Show resolved Hide resolved
domain/secret/service/service.go Outdated Show resolved Hide resolved
wallyworld
wallyworld approved these changes Sep 26, 2024
View reviewed changes
Copy link
Member

@wallyworld wallyworld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. Just a few small things and a couple of things to follow up on. We can land this and make progress.

domain/secret/service/exportimport.go Outdated Show resolved Hide resolved
domain/secret/service/exportimport.go Outdated Show resolved Hide resolved
domain/secret/service/service.go Outdated Show resolved Hide resolved
domain/secret/types.go Outdated Show resolved Hide resolved
domain/secret/state/state.go Show resolved Hide resolved
domain/secret/state/types.go Show resolved Hide resolved
@ycliuhw ycliuhw force-pushed the refactor-secret-service-atomic branch from bcd4bf0 to 0e59fb7 Compare September 26, 2024 23:21
@ycliuhw ycliuhw force-pushed the refactor-secret-service-atomic branch from 0e59fb7 to 82e2835 Compare September 26, 2024 23:25
SimonRichardson
SimonRichardson requested changes Sep 27, 2024
View reviewed changes
Copy link
Member

@SimonRichardson SimonRichardson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want @manadart to approve this before landing.

manadart
manadart reviewed Sep 30, 2024
View reviewed changes
Copy link
Member

@manadart manadart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments based on a once over.

There is a lot to be done here to get what I would view as correct use of RunAtomic.

This patch is too big. I would attack one service method at a time rather than trying to do everything at once and needing rounds of follow-ups.

domain/secret/state/state.go
}

err = db.Txn(ctx, func(ctx context.Context, tx *sqlair.TX) error {
return domain.Run(ctx, func(ctx context.Context, tx *sqlair.TX) error {
if err := st.createSecret(ctx, tx, version, uri, secret, st.checkUserSecretLabelExists); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The closure passed here does validation that should be invoked at the service layer.

domain/secret/state/state.go
label := ""
if secret.Label != nil {
label = *secret.Label
}
err = db.Txn(ctx, func(ctx context.Context, tx *sqlair.TX) error {
return domain.Run(ctx, func(ctx context.Context, tx *sqlair.TX) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The UUID by name retrieval in this block should be done up in the service.

domain/secret/state/state.go
label := ""
if secret.Label != nil {
label = *secret.Label
}
err = db.Txn(ctx, func(ctx context.Context, tx *sqlair.TX) error {
return domain.Run(ctx, func(ctx context.Context, tx *sqlair.TX) error {
dbSecretOwner := secretUnitOwner{SecretID: uri.ID, Label: label}

selectUnitUUID := `SELECT &unit.uuid FROM unit WHERE name=$unit.name`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

domain/secret/state/state.go
}

// UpdateSecret creates a secret with the specified parameters, returning an
// error satisfying [secreterrors.SecretNotFound] if the secret does not exist.
// It also returns an error satisfying [secreterrors.SecretLabelAlreadyExists]
// if the secret owner already has a secret with the same label.
func (st State) UpdateSecret(
ctx context.Context, uri *coresecrets.URI, secret domainsecret.UpsertSecretParams,
ctx domain.AtomicContext, uri *coresecrets.URI, secret domainsecret.UpsertSecretParams,
) error {
if !secret.HasUpdate() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validation for the service layer.

domain/secret/state/state.go
}
revisionResult = make([][]*domainsecret.SecretRevision, len(secrets))
for i, secret := range secrets {
revisionResult[i], err = st.listSecretRevisionsWithData(ctx, tx, secret.URI)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potato. Surely we can get this all at once.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manadart manadart manadart left review comments

@SimonRichardson SimonRichardson SimonRichardson requested changes

@wallyworld wallyworld wallyworld approved these changes

@hpidcock hpidcock Awaiting requested review from hpidcock

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
4.0 has merge conflicts
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ycliuhw @manadart @SimonRichardson @wallyworld @hpidcock