Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DPE-3654] Peer cluster data stored in a secret #463

Open
wants to merge 15 commits into
base: 2/edge
Choose a base branch
from

Conversation

skourta
Copy link
Contributor

@skourta skourta commented Sep 27, 2024

Issue

The data of the peer cluster relation was stored in the app data bag in text format including passwords and sensitive data.

Solution

Move the data of the peer cluster relation to a juju secret

@skourta skourta force-pushed the DPE-3654-peer-cluster-secret branch from 376e526 to 52d9410 Compare September 30, 2024 10:25
@reneradoi reneradoi self-requested a review October 16, 2024 13:30
Copy link
Contributor

@Mehdi-Bendriss Mehdi-Bendriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Smail.

Having the rel data as a whole as part of the secrets makes us lose valuable information from the relation.

I would rather:

  • we keep the relation flow as it was and just replace the plaintext values of the passwords etc.. by their secret labels in the relation data.
  • grant access to all these secrets to the consumers
  • consumer is able to fetch the content from these labels
  • when a secret changes, we'll have to trigger a rel changed event for the consumers to see it (or do we if the secrets are already granted?)

Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Smail, thanks for tackling this topic! I think it needs some adjustments as we are currently mixing using the opensearch_secrets.py class and accessing secrets directly through the model, especially in the _grant_rel_data_secrets() method. This should be avoided, if possible, and methods missing the in opensearch_secrets class should be added there. This is to make sure we have a clean interface with the secrets, and don't have to adjust multiple places in the code of the ops-implementation of secrets changes.

lib/charms/opensearch/v0/opensearch_secrets.py Outdated Show resolved Hide resolved
@reneradoi reneradoi self-requested a review October 25, 2024 13:02
reneradoi
reneradoi previously approved these changes Oct 25, 2024
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for applying all the changes I asked for!

phvalguima
phvalguima previously approved these changes Nov 5, 2024
Copy link
Contributor

@phvalguima phvalguima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am approving it, but if we have to do any changes on this PR still, @skourta, can you add the TODO notes as described? Also, we should make sure the backup tests are passing in our CI, as they depend on the secret exchanges.

):
redacted_dict["credentials"]["s3"] = {
"access-key": self.secrets.get_secret_id(Scope.APP, "s3-access-key"),
"secret-key": self.secrets.get_secret_id(Scope.APP, "s3-secret-key"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise, this secret should be caught straight from the s3 relation, once it supports granting secrets around.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it should be only one s3 secret, not 2 like we currently do

Copy link
Contributor

@Mehdi-Bendriss Mehdi-Bendriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Smail. Good job. This looks good overall. I left some comments.

lib/charms/opensearch/v0/opensearch_peer_clusters.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_peer_clusters.py Outdated Show resolved Hide resolved
# If we use the values of the secrets then the size of the secret
# would be too large for juju we store the secret ids instead and
# fetch the secrets when needed in the requirer side
redacted_dict = rel_data.to_dict()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is needed to serialize to a dict, why not work with the object and its attributes directly? I would rather we work with the former.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not want to mutate the object directly. We can either use the dict or copy the object and update the content of the secret to their respective ids.

Copy link
Contributor Author

@skourta skourta Nov 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mehdi-Bendriss We cannot directly use the PeerClusterRelData object directly because of the admin_tls field in the credentials which is dict. The secret IDs are str. I can either create a new model for the redacted peer cluster relation data or stick with the dict. WDYT?

@@ -260,6 +262,13 @@ def refresh_relation_data(
# compute the data that needs to be broadcast to all related clusters (success or error)
rel_data = self._rel_data(deployment_desc, orchestrators)

# if rel_data is an error, prepare to broadcast it to all related clusters
if isinstance(rel_data, PeerClusterRelData):
rel_data_redacted_dict = self._rel_data_redacted_dict(rel_data)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is it needed to serialize into a dict?

):
redacted_dict["credentials"]["s3"] = {
"access-key": self.secrets.get_secret_id(Scope.APP, "s3-access-key"),
"secret-key": self.secrets.get_secret_id(Scope.APP, "s3-secret-key"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it should be only one s3 secret, not 2 like we currently do

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants