-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci-credentials: update GSM secrets with updated configuration values #20076
ci-credentials: update GSM secrets with updated configuration values #20076
Conversation
I manually dispatched a Update: the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work! Just one main question below, while waiting on others who know more about 🐍
|
||
@click.group() | ||
@click.argument("connector_name") | ||
@click.option("--gcp-gsm-credentials", envvar="GCP_GSM_CREDENTIALS") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirming that GCP_GSM_CREDENTIALS has read and write access?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not allowed to check in GitHub which service account is used in this env var in our actions. But according to the service account I see in our IAM console, I'm pretty sure the currently used SA has sufficient permissions to perform all the operations that this CLI can do: read secret values, add a secret version, disable a secret version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Props for refactoring and adding tests. This is great for maintainability
Yup, it currently powers octavia-cli and cloud-cli. |
What
Closes #19441 (2/2)
#19979 enabled SAT to write updated configurations by capturing CONTROL messages.
When running in the CI, we need to upload these updated configurations to GSM. This is the scope of this PR.
How
ci-credentials
to expose two commands viaclick
framework:write-to-storage
: the already existing command that downloads GSM secrets locally for test runsupdate-secrets
: the new command to update GSM secrets according to the content of thesecrets/updated_configurations
folder that might contain SAT updated configs. This command finds the latest local updated configuration and updates the existing GSM secret by creating a new secret version and disabling the previous one.airbyte/tools/ci_credentials/ci_credentials/main.py
Line 23 in 1e75110
Create
Secret
andRemoteSecret
models for convenient manipulation of secret structure.airbyte/tools/ci_credentials/ci_credentials/models.py
Line 15 in 1e75110
Rename
SecretLoader
toSecretManager
and add methods to update secrets and disable version.airbyte/tools/ci_credentials/ci_credentials/secrets_manager.py
Line 246 in 1e75110
SecretManager
public methods and models:airbyte/tools/ci_credentials/tests/test_secrets_manager.py
Line 57 in 1e75110
airbyte/tools/ci_credentials/tests/test_models.py
Line 44 in 1e75110
ci-credentials
to make them call the newupdate-secrets
commands after test run.🚨 User Impact 🚨
This PR changes the
/test
and/publish
workflows, so we shall make sure this command are still functioning as expected.