Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate Secret References for Sensitive Parameters under the spec.initProvider API tree #406

Merged
merged 3 commits into from
May 24, 2024
Merged

Generate Secret References for Sensitive Parameters under the spec.initProvider API tree #406

merged 3 commits into from
May 24, 2024

Conversation

ulucinar
Copy link
Collaborator

Description of your changes

While working on adding the User.mq resource in crossplane-contrib/provider-upjet-aws, we hit the limitation that currently we do not generate secret references for the sensitive parameters under the spec.initProvider API. Currently, one can specify an ActiveMQ broker user with crossplane-contrib/provider-upjet-aws as follows:

apiVersion: mq.aws.upbound.io/v1beta1
kind: Broker
metadata:
  name: test-broker
spec:
  forProvider:
    ...
    user:
    - passwordSecretRef:
        key: password
        name: mq-secret
        namespace: upbound-system
      username: admin

However, we cannot fully specify the broker user using the spec.initProvider API tree because there's no spec.initProvider.user[*].passwordSecretRef and a partial specification like the following:

apiVersion: mq.aws.upbound.io/v1beta1
kind: Broker
metadata:
  name: test-broker
spec:
  forProvider:
    # broker users are defined under spec.initProvider
    ...
  initProvider:
    user:
      username: admin

will not function as the required user password is missing in the user specification, which renders the spec.initProvider.user API useless.

This PR adds support for the generation of secret references for sensitive parameters under the spec.initProvider API tree. As a result, it now becomes possible to fully specify a broker user as follows:

apiVersion: mq.aws.upbound.io/v1beta1
kind: Broker
metadata:
  name: test-broker
spec:
  initProvider:
    ...
    user:
    - passwordSecretRef:
        key: password
        name: mq-secret
        namespace: upbound-system
      username: admin
  forProvider:
    ...

The PR proposes both the code generation changes & the runtime secret resolution changes:

Code generation changes:

  1. Upjet now generates the secret references under the spec.initProvider API tree. As an example, Broker.mq now has spec.initProvider.user[*].passwordSecretRef as a sensitive parameter.
  2. This will result in the marking of certain previously required sensitive fields as optional under the spec.forProvider API tree because they have now counterparts under the spec.initProvider subtree, i.e., they can now be specified from under spec.initProvider.
  3. Upjet now generates, in zz_*_terraformed.go files, connection details mappings without the spec.forProvider prefixes in CRD paths. For example, what upjet used to generate as follows:
// GetConnectionDetailsMapping for this SharedDirectory
func (tr *SharedDirectory) GetConnectionDetailsMapping() map[string]string {
  return map[string]string{"notes": "spec.forProvider.notesSecretRef"}
}

now becomes:

// GetConnectionDetailsMapping for this SharedDirectory
func (tr *SharedDirectory) GetConnectionDetailsMapping() map[string]string {
  return map[string]string{"notes": "notesSecretRef"}
}

This is because, the mapping is now not 1:1. The sensitive value for the notes Terraform configuration argument can now be resolved from either a spec.forProvider reference or a soec.initProvider reference.

Runtime changes:

Upjet runtime now has to be able to resolve secret references from under the spec.initProvider tree and the mapping between the Terraform configuration arguments & secret references is no longer one-to-one. If both a spec.initProvider and a spec.forProvider secret reference target the same Terraform configuration argument, then the spec.forProvider's reference prevails over.

I have:

  • Read and followed Upjet's contribution process.
  • Run make reviewable to ensure this PR is ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

Manually tested via the User.users crossplane-contrib/provider-upjet-azuread resource.

@ulucinar
Generate the corresponding Kubernetes secret references for the sensi…
f577a54 
…tive Terraform

configuration arguments also under the spec.initProvider API tree.

Signed-off-by: Alper Rifat Ulucinar <[email protected]>
@ulucinar
Add support for resolving secret references from spec.initProvider
ec75edf 
- If both spec.forProvider and spec.initProvider tree reference
  secrets for the same target field, spec.forProvider overrides
  spec.initProvider.

Signed-off-by: Alper Rifat Ulucinar <[email protected]>
@ulucinar ulucinar mentioned this pull request May 23, 2024
Merged
3 tasks
sergenyalcin
sergenyalcin approved these changes May 23, 2024
View reviewed changes
Copy link
Member

@sergenyalcin sergenyalcin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ulucinar LGTM!

@ulucinar
Copy link
Collaborator Author

The CLI-based external client relies on Terraform's ignore_changes lifecycle meta-argument to ignore changes to MR fields that are exclusively set in spec.initProvider and not set in spec.forProvider for drift detection. This PR only considers ignoring changes in spec.initProvider sensitive fields (i.e., secret references) for the no-fork architecture and such changes will be considered as drift in the old architecture. We can work on this problem if there's need for it. The spec.initProvider use cases are rather limited and further, not many will involve the newly added sensitive fields.

A possible implementation could use the mapping from the spec.initProvider sensitive field to the corresponding Terraform target sensitive argument and place that sensitive argument to the ignore_changes block. But let's tackle with it if there's any real use case for it.

@ulucinar ulucinar merged commit 89a7d0a into crossplane:main May 24, 2024
6 checks passed
@ulucinar ulucinar deleted the sensitive-initProvider branch May 24, 2024 08:13
@ulucinar ulucinar mentioned this pull request May 24, 2024
Merged
3 tasks
@ulucinar ulucinar mentioned this pull request Jun 4, 2024
Merged
3 tasks
@llavaud llavaud mentioned this pull request Jun 5, 2024
Closed
@ulucinar ulucinar mentioned this pull request Jun 6, 2024
Merged
3 tasks
@erhancagirici erhancagirici mentioned this pull request Nov 12, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergenyalcin sergenyalcin sergenyalcin approved these changes

@erhancagirici erhancagirici Awaiting requested review from erhancagirici erhancagirici is a code owner

@mergenci mergenci Awaiting requested review from mergenci mergenci is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ulucinar @sergenyalcin