Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[installer] enable protected_secrets by default #13664

Merged
merged 1 commit into from
Oct 7, 2022
Merged

[installer] enable protected_secrets by default #13664

merged 1 commit into from
Oct 7, 2022

Conversation

kylos101
Copy link
Contributor

@kylos101 kylos101 commented Oct 7, 2022
edited by jenting
Loading

Description

Enable protected_secrets by default for server, unless explicitly set to false in the installer config.

Change the data type EnableProtectedSecrets to the pointer to prevent a case that enableProtectedSecrets = false if the user’s config is below, which will disable the protected secrets.

experimental:
  workspace:
  • the golden files have values that changed...which weren't altered in the config.yaml files. Not sure why.
  • aside from the four config.yaml files I changed, there are others, but...not sure why I'd change them. 🤔
    @mrsimonemms , halp? ☝️ above two tasks...I am bamboozled.

Related Issue(s)

Fixes #13632

How to test

Enabled out of the box

  1. Disable protected_secrets for non-production in configcat
  2. Start a workspace in the preview environment https://kylos101-eb280e47347.preview.gitpod-dev.com/workspaces
  3. kubectl describe pod <workspace>, secrets should back values within the pod env vars, rather than plain strings. You could open the workspace from this PR, and kubectl describe pod <workspace>.

Disable at install time

  1. Use the installer to overwrite the preview environment installation
  2. Start a workspace in the preview environment https://jenting-13664.preview.gitpod-dev.com/workspaces
  3. kubectl describe pod <workspace>, secrets will not back the values. You could open the workspace from the branch and kubectl describe pod <workspace>.

Release Notes

Enable the protected secrets by default

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-integration-tests=workspace with-large-vm=true
    Valid options are all, workspace, webapp, ide

@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-kylos101-enable-protected-secrets.1 because the annotations in the pull request description changed
(with .werft/ from main)

@roboquat roboquat added the size/S label Oct 7, 2022
@kylos101 kylos101 force-pushed the kylos101/enable-protected-secrets branch from 955e278 to 9b71206 Compare October 7, 2022 01:04
@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-kylos101-enable-protected-secrets.3 because the annotations in the pull request description changed
(with .werft/ from main)

@kylos101
Copy link
Contributor Author

kylos101 commented Oct 7, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run with-integration-tests=workspace with-large-vm=true

👍 started the job as gitpod-build-kylos101-enable-protected-secrets.4
(with .werft/ from main)

@kylos101
Copy link
Contributor Author

kylos101 commented Oct 7, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run with-integration-tests=workspace with-large-vm=true with-clean-slate-deployment=true

👍 started the job as gitpod-build-kylos101-enable-protected-secrets.5
(with .werft/ from main)

@kylos101
Copy link
Contributor Author

kylos101 commented Oct 7, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run with-integration-tests=workspace with-large-vm=true with-clean-slate-deployment=true

👍 started the job as gitpod-build-kylos101-enable-protected-secrets.6
(with .werft/ from main)

@jenting jenting force-pushed the kylos101/enable-protected-secrets branch from 9b71206 to 79f47a8 Compare October 7, 2022 02:27
@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-kylos101-enable-protected-secrets.8 because the annotations in the pull request description changed
(with .werft/ from main)

@roboquat roboquat added size/M and removed size/S labels Oct 7, 2022
@jenting jenting force-pushed the kylos101/enable-protected-secrets branch from dda093f to 5dee9a5 Compare October 7, 2022 03:42
@roboquat roboquat added size/S and removed size/M labels Oct 7, 2022
@jenting jenting force-pushed the kylos101/enable-protected-secrets branch 2 times, most recently from c0a9017 to d889fe9 Compare October 7, 2022 04:10
@jenting jenting force-pushed the kylos101/enable-protected-secrets branch from d889fe9 to d319525 Compare October 7, 2022 04:20
@jenting
Copy link
Contributor

jenting commented Oct 7, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-kylos101-enable-protected-secrets.18
(with .werft/ from main)

@jenting jenting marked this pull request as ready for review October 7, 2022 04:36
@jenting jenting requested review from a team October 7, 2022 04:36
@github-actions github-actions bot added team: webapp Issue belongs to the WebApp team team: self-hosted labels Oct 7, 2022
@jenting jenting marked this pull request as draft October 7, 2022 04:37
@jenting jenting marked this pull request as ready for review October 7, 2022 04:46
@utam0k
Copy link
Contributor

utam0k commented Oct 7, 2022

@jenting I think we should update the Release Note

@jenting
Copy link
Contributor

jenting commented Oct 7, 2022

@jenting I think we should update the Release Note

Thank you for the heads up.

@nandajavarma
Copy link
Contributor

nandajavarma commented Oct 7, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run with-sh-preview

👍 started the job as gitpod-build-kylos101-enable-protected-secrets.19
(with .werft/ from main)

nandajavarma
nandajavarma approved these changes Oct 7, 2022
View reviewed changes
Copy link
Contributor

@nandajavarma nandajavarma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested setup against k3s self-hosted preview! :shipit:

@roboquat roboquat merged commit 0cd9c5d into main Oct 7, 2022
@roboquat roboquat deleted the kylos101/enable-protected-secrets branch October 7, 2022 06:56
@roboquat roboquat added the deployed: webapp Meta team change is running in production label Oct 7, 2022
@kylos101 kylos101 mentioned this pull request Oct 11, 2022
Closed
@roboquat roboquat added the deployed Change is completely running in production label Oct 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@utam0k utam0k utam0k approved these changes

@nandajavarma nandajavarma nandajavarma approved these changes

@svenefftinge svenefftinge svenefftinge approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note size/S team: webapp Issue belongs to the WebApp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable protected secrets by default in the installer for self-hosted
6 participants
@kylos101 @jenting @utam0k @nandajavarma @svenefftinge @roboquat