Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DPE-3654] Peer cluster data stored in a secret #463

Merged
merged 18 commits into from
Jan 23, 2025

Conversation

skourta
Copy link
Contributor

@skourta skourta commented Sep 27, 2024

Issue

The data of the peer cluster relation was stored in the app data bag in text format including passwords and sensitive data.

Solution

Move the data of the peer cluster relation to a juju secret

@skourta skourta force-pushed the DPE-3654-peer-cluster-secret branch from 376e526 to 52d9410 Compare September 30, 2024 10:25
@reneradoi reneradoi self-requested a review October 16, 2024 13:30
Copy link
Contributor

@Mehdi-Bendriss Mehdi-Bendriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Smail.

Having the rel data as a whole as part of the secrets makes us lose valuable information from the relation.

I would rather:

  • we keep the relation flow as it was and just replace the plaintext values of the passwords etc.. by their secret labels in the relation data.
  • grant access to all these secrets to the consumers
  • consumer is able to fetch the content from these labels
  • when a secret changes, we'll have to trigger a rel changed event for the consumers to see it (or do we if the secrets are already granted?)

Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Smail, thanks for tackling this topic! I think it needs some adjustments as we are currently mixing using the opensearch_secrets.py class and accessing secrets directly through the model, especially in the _grant_rel_data_secrets() method. This should be avoided, if possible, and methods missing the in opensearch_secrets class should be added there. This is to make sure we have a clean interface with the secrets, and don't have to adjust multiple places in the code of the ops-implementation of secrets changes.

lib/charms/opensearch/v0/opensearch_secrets.py Outdated Show resolved Hide resolved
@reneradoi reneradoi self-requested a review October 25, 2024 13:02
reneradoi
reneradoi previously approved these changes Oct 25, 2024
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for applying all the changes I asked for!

phvalguima
phvalguima previously approved these changes Nov 5, 2024
Copy link
Contributor

@phvalguima phvalguima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am approving it, but if we have to do any changes on this PR still, @skourta, can you add the TODO notes as described? Also, we should make sure the backup tests are passing in our CI, as they depend on the secret exchanges.

):
redacted_dict["credentials"]["s3"] = {
"access-key": self.secrets.get_secret_id(Scope.APP, "s3-access-key"),
"secret-key": self.secrets.get_secret_id(Scope.APP, "s3-secret-key"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise, this secret should be caught straight from the s3 relation, once it supports granting secrets around.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it should be only one s3 secret, not 2 like we currently do

Copy link
Contributor

@Mehdi-Bendriss Mehdi-Bendriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Smail. Good job. This looks good overall. I left some comments.

lib/charms/opensearch/v0/opensearch_peer_clusters.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_peer_clusters.py Outdated Show resolved Hide resolved
):
redacted_dict["credentials"]["s3"] = {
"access-key": self.secrets.get_secret_id(Scope.APP, "s3-access-key"),
"secret-key": self.secrets.get_secret_id(Scope.APP, "s3-secret-key"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it should be only one s3 secret, not 2 like we currently do

Mehdi-Bendriss
Mehdi-Bendriss previously approved these changes Jan 17, 2025
Mehdi-Bendriss
Mehdi-Bendriss previously approved these changes Jan 17, 2025
reneradoi
reneradoi previously approved these changes Jan 17, 2025
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approval after this PR had already been reviewed from my side previously.

@skourta skourta dismissed stale reviews from reneradoi and Mehdi-Bendriss via d5d9e36 January 22, 2025 09:17
@skourta skourta requested a review from reneradoi January 22, 2025 09:19
@skourta skourta merged commit b16bb32 into 2/edge Jan 23, 2025
35 of 39 checks passed
@skourta skourta deleted the DPE-3654-peer-cluster-secret branch January 23, 2025 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants