Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move github credentials to the database #243

Merged
merged 27 commits into from
May 9, 2024

Conversation

gabriel-samfira
Copy link
Member

This change is part of a larger effort to allow GARM to eventually scale out to multiple instances. The goal is to move as much of the config as possible to the database, allowing a single source of truth for state among multiple instances.

This change also allows us to properly enforce relations between entities (repos, orgs, enterprises), github installations (GHES/github.com) and credentials. This way, we don't end up in an inconsistent state if the credentials are removed from the config, but they're still referenced for an entity in the database.

As part of this change, we aim to maintain as much of the existing user facing API as possible, and also automatically migrate the existing config credentials to the database. The migration is done once, when GARM detects that the needed DB tables are not there. After that, migration is skipped and any credential handling will need to be done using the CLI.

Credentials are scoped to users, and must have a unique name. Different users will be able to create credentials with the same name. The same user will not be able to create multiple credentials with the same name. Although GARM doesn't support multiple users (yet), it may do so in the future. Given the pain of moving the credentials to the DB, this was a decision that was meant to spare us the pain of refactoring later.

Credentials are still referenced by name when assigning them to the entity, but internally we query the DB for a user/credentials combo, given that we have the user ID already stored for the authenticated user, in the context we pass along throughout the code base.

A few more commits are needed to expose an API for handling credentials and to add tests for all the new bits.

@gabriel-samfira
Copy link
Member Author

Pfu. The generated code is really bumping up the line count 😅

apiserver/controllers/credentials.go Fixed Show fixed Hide fixed
apiserver/controllers/credentials.go Fixed Show fixed Hide fixed
apiserver/controllers/credentials.go Fixed Show fixed Hide fixed
@gabriel-samfira gabriel-samfira force-pushed the use-db-for-gh-creds branch 3 times, most recently from b43115d to 30447d3 Compare April 19, 2024 09:26
Add database models that deal with github credentials. This change
adds models for github endpoints (github.com, GHES, etc). This change
also adds code to migrate config credntials to the DB.

Tests need to be fixed and new tests need to be written. This will come
in a later commit.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
When updating credentials on an entity, we must ensure that the new credentials
belong to the same endpoint as the entity.

When an entity is created, the endpoint is determined by the credentials that
were used during the create operation. From that point forward the entity is
associated with an endpoint, and that cannot change.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
@gabriel-samfira gabriel-samfira force-pushed the use-db-for-gh-creds branch 2 times, most recently from d6691fe to 8ef36f6 Compare April 24, 2024 13:50
Do not rely on the entity object to hold updated or detailed credentials,
fetch them from the DB every time.

This change also ensures that we pass in the user context instead of the
runner context to the DB methods.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
@gabriel-samfira gabriel-samfira force-pushed the use-db-for-gh-creds branch 2 times, most recently from 80a87b0 to 7f1aeeb Compare April 24, 2024 14:46
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
@gabriel-samfira gabriel-samfira force-pushed the use-db-for-gh-creds branch 4 times, most recently from 154c9de to 1dc6b1f Compare April 25, 2024 17:31
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
@gabriel-samfira gabriel-samfira changed the title [WiP] Move github credentials to the database Move github credentials to the database Apr 29, 2024
apiserver/routers/routers.go Show resolved Hide resolved
database/sql/sql.go Show resolved Hide resolved
No point in making a DB query if we know we don't want to be able to
delete/update the default endpoint.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
database/sql/sql.go Outdated Show resolved Hide resolved
gabriel-samfira and others added 2 commits May 7, 2024 13:13
Co-authored-by: Mario Constanti <github@constanti.de>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants