Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DPE-3654] Peer cluster data stored in a secret #463

Open
wants to merge 17 commits into
base: 2/edge
Choose a base branch
from
Open

[DPE-3654] Peer cluster data stored in a secret #463

wants to merge 17 commits into from
+234 −41

Conversation

skourta
Copy link
Contributor

@skourta skourta commented Sep 27, 2024

Issue

The data of the peer cluster relation was stored in the app data bag in text format including passwords and sensitive data.

Solution

Move the data of the peer cluster relation to a juju secret

@skourta skourta force-pushed the DPE-3654-peer-cluster-secret branch from 376e526 to 52d9410 Compare September 30, 2024 10:25
@reneradoi reneradoi self-requested a review October 16, 2024 13:30
Mehdi-Bendriss
Mehdi-Bendriss requested changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@Mehdi-Bendriss Mehdi-Bendriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Smail.

Having the rel data as a whole as part of the secrets makes us lose valuable information from the relation.

I would rather:

  • we keep the relation flow as it was and just replace the plaintext values of the passwords etc.. by their secret labels in the relation data.
  • grant access to all these secrets to the consumers
  • consumer is able to fetch the content from these labels
  • when a secret changes, we'll have to trigger a rel changed event for the consumers to see it (or do we if the secrets are already granted?)

reneradoi
reneradoi requested changes Oct 18, 2024
View reviewed changes
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Smail, thanks for tackling this topic! I think it needs some adjustments as we are currently mixing using the opensearch_secrets.py class and accessing secrets directly through the model, especially in the _grant_rel_data_secrets() method. This should be avoided, if possible, and methods missing the in opensearch_secrets class should be added there. This is to make sure we have a clean interface with the secrets, and don't have to adjust multiple places in the code of the ops-implementation of secrets changes.

lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_secrets.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Outdated Show resolved Hide resolved
@reneradoi reneradoi self-requested a review October 25, 2024 13:02
reneradoi
reneradoi previously approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for applying all the changes I asked for!

phvalguima
phvalguima previously approved these changes Nov 5, 2024
View reviewed changes
Copy link
Contributor

@phvalguima phvalguima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am approving it, but if we have to do any changes on this PR still, @skourta, can you add the TODO notes as described? Also, we should make sure the backup tests are passing in our CI, as they depend on the secret exchanges.

lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py
):
redacted_dict["credentials"]["s3"] = {
"access-key": self.secrets.get_secret_id(Scope.APP, "s3-access-key"),
"secret-key": self.secrets.get_secret_id(Scope.APP, "s3-secret-key"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise, this secret should be caught straight from the s3 relation, once it supports granting secrets around.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it should be only one s3 secret, not 2 like we currently do

Mehdi-Bendriss
Mehdi-Bendriss reviewed Nov 21, 2024
View reviewed changes
Copy link
Contributor

@Mehdi-Bendriss Mehdi-Bendriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Smail. Good job. This looks good overall. I left some comments.

lib/charms/opensearch/v0/opensearch_peer_clusters.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_peer_clusters.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_relation_peer_cluster.py
):
redacted_dict["credentials"]["s3"] = {
"access-key": self.secrets.get_secret_id(Scope.APP, "s3-access-key"),
"secret-key": self.secrets.get_secret_id(Scope.APP, "s3-secret-key"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it should be only one s3 secret, not 2 like we currently do

Mehdi-Bendriss
Mehdi-Bendriss previously approved these changes Jan 17, 2025
View reviewed changes
reneradoi
reneradoi approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approval after this PR had already been reviewed from my side previously.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reneradoi reneradoi reneradoi approved these changes

@Mehdi-Bendriss Mehdi-Bendriss Mehdi-Bendriss approved these changes

@phvalguima phvalguima Awaiting requested review from phvalguima

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skourta @phvalguima @Mehdi-Bendriss @reneradoi