Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DPE-2342] Charm Relation (i.e. 'external') Secrets #91

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[DPE-2342] Charm Relation (i.e. 'external') Secrets #91

wants to merge 10 commits into from

Conversation

juditnovak
Copy link
Contributor

@juditnovak juditnovak commented Aug 26, 2023
edited
Loading

Disclaimer

Here we introduce Relations Secrets on top of the existing data_interfaces logic.

New interfaces:

  • get_relation_secret_data() (Provides, Requires)
  • set_relation_secret_fields() (Provides)
  • get_relation_secret_fields(), get_relation_secret_fields() (Requires)

POC demo of usage demonstrated on Opensearch: canonical/opensearch-operator#116

@juditnovak juditnovak changed the base branch from main to DPE-2394_juju3_pipeline August 26, 2023 12:10
@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch 8 times, most recently from 203c86e to 11a9374 Compare August 27, 2023 20:44
@juditnovak juditnovak force-pushed the DPE-2394_juju3_pipeline branch from 9e70a2a to c7a5d3f Compare August 27, 2023 21:19
@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from 11a9374 to 30c02e7 Compare August 27, 2023 21:21
@juditnovak juditnovak changed the title [WIP][IGNORE][DPE-2342] relation secrets [DPE-2342] relation secrets Aug 27, 2023
@juditnovak juditnovak changed the title [DPE-2342] relation secrets [DPE-2342] Charm Relation (i.e. 'externa') Secrets Aug 27, 2023
@juditnovak juditnovak changed the title [DPE-2342] Charm Relation (i.e. 'externa') Secrets [DPE-2342] Charm Relation (i.e. 'external') Secrets Aug 27, 2023
@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from 30c02e7 to 2674ffa Compare August 27, 2023 22:57
@juditnovak juditnovak force-pushed the DPE-2394_juju3_pipeline branch from c7a5d3f to cb7dc4a Compare August 28, 2023 07:46
@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from 2674ffa to 577ee22 Compare August 28, 2023 15:09
marceloneppel
marceloneppel reviewed Aug 28, 2023
View reviewed changes
Copy link
Member

@marceloneppel marceloneppel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall it looks great! I think we are in the right path with this implementation.

About the cache, from what I could see, it will be restricted to the event lifetime only.

I left comments about other details.

@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch 5 times, most recently from 63de4bd to e0c9efa Compare August 29, 2023 17:17
shayancanonical
shayancanonical reviewed Aug 29, 2023
View reviewed changes
Copy link
Contributor

@shayancanonical shayancanonical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like the direction that this implementation is taking! Abstracting away whether a relation data is stored in a secrets backend or in the relational databag is an excellent idea!

A couple of high level comments/questions I had after my first review were:

  1. SecretCache is not really a cache - it is a wrapper around a Secret in a Juju secrets backend
  2. Should we allow the Requires application to decide which fields are SECRET_FIELDS instead of hardcoding them? (and fallback to the hardcoded value if they are not specified?) -> this will allow users to specify all the fields that they want as secrets

@juditnovak
Copy link
Contributor Author

@shayancanonical

SecretCache: Your point is valid, it is

  1. An abstraction layer to handle direct interaction with the Juju Secret Strore
  2. However it IS a cache too :-)

The point is that, once you fetch a secret via a SecretCache object, it won't be fetched again within the same event scope.
So it's kinda providing a smart layer between DataInterfaces and Juju. It's both handling the interactions AND if the interaction is avoidable it would just return the previously cached data.

(I may need to polish up a code, there could be errors on this still :-) )

@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from e0c9efa to 99e4ca5 Compare August 29, 2023 21:23
Base automatically changed from DPE-2394_juju3_pipeline to main August 29, 2023 21:24
@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from 99e4ca5 to c3e2a57 Compare August 29, 2023 23:08
shayancanonical
shayancanonical reviewed Aug 30, 2023
View reviewed changes
Copy link
Contributor

@shayancanonical shayancanonical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Just a flood of small nits/questions

@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from 7481a42 to 1a81c55 Compare August 30, 2023 22:19
@juditnovak juditnovak mentioned this pull request Aug 31, 2023
Closed
paulomach
paulomach approved these changes Aug 31, 2023
View reviewed changes
Copy link
Contributor

@paulomach paulomach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing some of the secret context, but could follow the implementation. Overall looking good, my nits are well represented by other reviews

@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch 4 times, most recently from ec4c19c to f2b8bc9 Compare September 1, 2023 00:15
@juditnovak juditnovak requested a review from delgod September 1, 2023 11:07
@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from f2b8bc9 to 8ba180c Compare September 3, 2023 09:25
@juditnovak juditnovak force-pushed the DPE-2342_relation_secrets branch from 8ba180c to 96d890d Compare September 3, 2023 09:43
juditnovak
juditnovak commented Sep 4, 2023
View reviewed changes
lib/charms/data_platform_libs/v0/data_interfaces.py
DON'T USE the encapsulated helper variable outside of this function
"""
if not hasattr(self, "_cached_jujuversion"):
self._cached_jujuversion = None
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively, I can add this init() function:

def __init__(self, handle: Handle, relation: Relation, app: Optional[Application] = None, unit: Optional[Unit] = None):
    super().__init__(handle, relation, app, unit)
    self._cached_jujuversion = None
    self._cached_secrets = None

...and then copy this into 6 --currently very pretty, one-liner-- descendant classes:

def __init__(self, handle: Handle, relation: Relation, app: Optional[Application] = None, unit: Optional[Unit] = None):
    super().__init__(handle, relation, app, unit)

...but this is so ugly, that it doesn't even feel right -- just for two internal helper variables, that aren't supposed to be used outside of their encapsulated scope.... That I'd rather go with the technically less safe, but in another sense still more elegant solution. As instructions on the property functions clearly indicate: the helper variabes are meant to be encapsulated inside, noone should refer to them otherwise.

Anyway, if strong feelings on the other side, I can go for the __init__() solution.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

less ugly?

Suggested change
self._cached_jujuversion = None
if not hasattr(self, "_cached_jujuversion") or not self._cached_jujuversion:
self._cached_jujuversion = JujuVersion.from_environ()

@juditnovak juditnovak marked this pull request as ready for review September 4, 2023 07:17
paulomach
paulomach reviewed Sep 4, 2023
View reviewed changes
lib/charms/data_platform_libs/v0/data_interfaces.py
@@ -934,6 +981,11 @@ def tls(self) -> Optional[str]:
if not self.relation.app:
return None

if self.secrets_enabled:
secret = self._get_secret("tls")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit (use walrus):

if secret := self._get_secret("tls"):
    return secret.get("tls")

juditnovak
juditnovak commented Sep 7, 2023
View reviewed changes
lib/charms/data_platform_libs/v0/data_interfaces.py
@@ -331,6 +334,33 @@ def _on_topic_requested(self, event: TopicRequestedEvent):
deleted - key that were deleted"""


# Local map to associate labels with secrets potentially as a group
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] Increase LIBVERSION !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

@shayancanonical
Copy link
Contributor

@juditnovak is this PR still revelant? if not, should we close?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulomach paulomach paulomach approved these changes

@shayancanonical shayancanonical shayancanonical approved these changes

@delgod delgod Awaiting requested review from delgod

@marceloneppel marceloneppel Awaiting requested review from marceloneppel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@juditnovak @shayancanonical @paulomach @marceloneppel