-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a callback based method to the secrets component #21090
Conversation
ff531f6
to
938dace
Compare
Bloop Bleep... Dogbot HereRegression Detector ResultsRun ID: 020140b5-b5ab-4f0e-8f94-1b337be54481 ExplanationA regression test is an integrated performance test for Because a target's optimization goal performance in each experiment will vary somewhat each time it is run, we can only estimate mean differences in optimization goal relative to the baseline target. We express these differences as a percentage change relative to the baseline target, denoted "Δ mean %". These estimates are made to a precision that balances accuracy and cost control. We represent this precision as a 90.00% confidence interval denoted "Δ mean % CI": there is a 90.00% chance that the true value of "Δ mean %" is in that interval. We decide whether a change in performance is a "regression" -- a change worth investigating further -- if both of the following two criteria are true:
The table below, if present, lists those experiments that have experienced a statistically significant change in mean optimization goal performance between baseline and comparison SHAs with 90.00% confidence OR have been detected as newly erratic. Negative values of "Δ mean %" mean that baseline is faster, whereas positive values of "Δ mean %" mean that comparison is faster. Results that do not exhibit more than a ±5.00% change in their mean optimization goal are discarded. An experiment is erratic if its coefficient of variation is greater than 0.1. The abbreviated table will be omitted if no interesting change is observed. No interesting changes in experiment optimization goals with confidence ≥ 90.00% and |Δ mean %| ≥ 5.00%. Fine details of change detection per experiment.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for AML files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I don't really understand what the code in walker.go
does but since it was mostly just moved it's ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hush-hush Some of the code is above my head but I left some comments. Overall LGTM though.
comp/core/secrets/component.go
Outdated
Decrypt(data []byte, origin string) ([]byte, error) | ||
// DecryptWithCallback resolves the secrets in the given yaml data calling the callback with the YAML path of | ||
// the secret handle and its value | ||
DecryptWithCallback(data []byte, origin string, callback DecryptCallback) error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: This might be a semantic nit around naming but we're not really decrypting the secrets but resolving them afaiu so naming the methods accordingly would be good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I suppose that the callback is not a "decrypt then run callback" that could be interpreted from current name so maybe wording it as ResolveViaCallback
or ResolveThroughCallback
would be more clear
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're not resolving using the callback, we're still using the secrets binary. I feel like ResolveViaCallback
/ResolveThroughCallback
implies otherwise.
Here we're letting the caller replace the handle with the secrets (ie: resolving with a callback).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did replace Decrypt
with Resolve
everywhere.
The secrets component can now notify the caller when resolving a secret. This allows the config package to only overwrite the setting using secrets instead of the entire configuration.
cd16cf1
to
0b205f0
Compare
What does this PR do?
The secrets component can now notify the caller when resolving a secret.
This allows the config package to only overwrite the setting using secrets instead of the entire configuration which result in accurate configuration being sent through metadata.
Describe how to test/QA your changes
Check that the secrets feature works just like before:
Then also check that the metadata payload now doesn't sent the entire configuration as
provided_configuration
when secrets are enabled (datadog-agent diagnose show-metadata inventory-agent | jq -r '.agent_metadata.provided_configuration'
).Reviewer's Checklist
Triage
milestone is set.major_change
label if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote.changelog/no-changelog
label has been applied.qa/skip-qa
label is not applied.team/..
label has been applied, indicating the team(s) that should QA this change.need-change/operator
andneed-change/helm
labels have been applied.k8s/<min-version>
label, indicating the lowest Kubernetes version compatible with this feature.