Secret-specific protos #1511
Secret-specific protos #1511
Conversation
|
|
||
| Meta meta = 2 [(gogoproto.nullable) = false]; | ||
|
|
||
| map<string, SecretData> secret_data = 3; |
There was a problem hiding this comment.
Please document this field, including the meaning of the map keys.
Current coverage is 54.06% (diff: 0.00%)@@ master #1511 diff @@
==========================================
Files 82 83 +1
Lines 13605 13613 +8
Methods 0 0
Messages 0 0
Branches 0 0
==========================================
+ Hits 7351 7360 +9
+ Misses 5261 5258 -3
- Partials 993 995 +2
|
| string digest = 4; | ||
|
|
||
| // Size represents the size of the secret | ||
| int32 size = 5 [(gogoproto.customname) = "SecretSize"]; |
There was a problem hiding this comment.
Should this be uint32, or do negative values have a valid meaning?
There was a problem hiding this comment.
Yes, uint32, thank you!
| repeated Secret secrets = 1; | ||
| } | ||
|
|
||
| // Note CreateSecretRequest does not contain a SecretSpec, since that can contain multiple SecretData objects, which have digests |
There was a problem hiding this comment.
This comment doesn't look right; CreateSecretRequest does contain a SecretSpec.
cyli
force-pushed
the
secret-protos
branch
2 times, most recently
from
a691a40
to
8bcbc6f
Compare
|
Just to make sure I remembered correctly - did we want the secrets in a different RPC service entirely, because the control one was too big? Or did we want it in the same RPC service but a different file? cc @stevvooe |
|
|
||
| // GetSecretRequest is the request to get a `Secret` object given a secret name. | ||
| message GetSecretRequest { | ||
| string name = 1; |
There was a problem hiding this comment.
Most objects are fetched by id, rather than name.
There was a problem hiding this comment.
I figured you'd want to look up a secret by name vs ID - I guess they should use ListSecret for that?
There was a problem hiding this comment.
In that case, you list by name, then use the id to access it via get.
There was a problem hiding this comment.
In that case, you list by name, then use the id to access it via get.
Agreed, this is how it works with other objects in controlapi.
|
@cyli The structure and file layout of this PR looks optimal. We may want to discuss with @al but since secrets aren't necessarily a cluster only operation, this will allow us to relocate the component running the actual service. Effectively, we could decouple this from the cluster types, if need be. |
|
Not the right @al I'm afraid. Who is this guy? He seems to be rather On 8 Sep 2016 20:23, "Stephen Day" notifications@github.com wrote: @cyli https://github.com/cyli The structure and file layout of this PR We may want to discuss with @al https://github.com/al but since secrets — |
|
@al My bad. Hah. PTAL @aluzzardi |
| // SecretType provides information about what kind of secret this is | ||
| enum SecretType { | ||
| CONTAINER = 0 [(gogoproto.enumvalue_customname) = "ContainerSecret"]; | ||
| NODE = 1 [(gogoproto.enumvalue_customname) = "NodeSecret"]; |
There was a problem hiding this comment.
@cyli let's remove node for now
There was a problem hiding this comment.
@diogomonica For the network encryption key we decided to add a new secret type. Should we add a type 'NETWORK' to SecretType ? What is its intended purpose, is it for type checking ? ie: a SecretReference from a Service has to be a secret of type CONTAINER ?
There was a problem hiding this comment.
We should add the network specific functionality in a future PR.
There was a problem hiding this comment.
@diogomonica We need to think about this use cases now.
We need to cover the registry auth case, as well.
cyli
force-pushed
the
secret-protos
branch
2 times, most recently
from
5a73a31
to
6ec5865
Compare
|
Thanks for the really quick turnaround!
I know I was the one who asked for this, but I feel it may not be worth the complexity anymore now that there's no internal need for it. For user display purposes, I think ordering by timestamp would work well enough. |
|
|
||
| // SecretReference is the linkage between a service and a secret that it uses. | ||
| message SecretReference { | ||
| // Name is the name of the secret that this references. |
There was a problem hiding this comment.
As discussed, this name will be informational, and secret_id below will be used to actually resolve the secret. Let's make this clear in the comments.
There was a problem hiding this comment.
Good point. I've also moved this to the end of the message (although I don't know that ordering implies any sort of importance).
|
@cyli @aaronlehmann Did we decide to drop the lamport_time field ? For network gossip encryption we need a reliable ordering to delete the old key and insert the new key on every rotation. It can be handled in the client side by having a lamport_time for each secret reference. But if its part of the Secret it will be convenient. |
|
@sanimej I've dropped it as per @aaronlehmann's suggestion, but I can also easily add it back if it's needed. |
|
How are network gossip keys going to be managed in a world where we have immutable secrets and no built-in versioning? |
|
For each network we will have a SecretSpec and three SecretReference in the Network object corresponding to three keys needed for gossip encryption. Network key manager in the swarm leader will be responsible for deleting the old secret, create a new one on each rotation and update the reference in the Network object. Having a lamport_time will avoid having to maintain extra state in the client (key manager in this case). Updated network object will be sent in the Assignment stream only to the nodes that have task with that network attachment. |
| // removes all versions of the secret. | ||
| message RemoveSecretRequest { | ||
| string secret_id = 1 [(gogoproto.customname) = "SecretID"]; | ||
| } |
There was a problem hiding this comment.
Can we make this a repeated field ?
There was a problem hiding this comment.
I have no objection, but none of the other remove requests work this way, so would like further input from @aaronlehmann or @stevvooe or @aluzzardi :)
There was a problem hiding this comment.
Sorry, to clarify this statement I think supporting removing multiple objects in a single transaction might make sense, especially since the network secrets come bundled together. However, it would be an inconsistency in what the Remove* argument takes.
I think it wouldn't be too hard to support this for other objects in the control API as well on the server side, but migrating their existing APIs over to support that may be tricky, if previously it took a single string and now it takes a list of strings.
Will the network manager actually be using the control API, or will it be updating the secret store behind the scenes? There is also an internal bool on the Secret object, which the control API does not provide any way to set - I think the assumption was that the network manager would create that Secret itself and store it?
There was a problem hiding this comment.
It's behind the scenes, so it can use a transaction.
I think having RemoveSecret remove a single secret is most consistent with the other external APIs.
There was a problem hiding this comment.
Sounds good. Leaving this as is, then, and have also removed the max number of secrets in the cluster.
There was a problem hiding this comment.
Agreed - consistency first.
It makes sense, but if we want to do it, we should do it across the board on every other Remove* request so it's outside of the scope of this PR.
|
Thanks for explaining. I think it may be preferable to keep the state in the key manager, versus maintaining the The reason is that |
|
If we don't foresee other users/clients of the secret infra having a similar requirement I think its ok to leave the versioning part to the key manager. |
| @@ -658,6 +658,7 @@ message RaftConfig { | |||
| uint32 election_tick = 5; | |||
| } | |||
|
|
|||
|
|
|||
|
|
||
| // Name is the name of the secret that this references, but this is just provided for | ||
| // lookup/display purposes. The secret in the reference will be identified by its ID. | ||
| string name = 4; |
|
LGTM |
| // removes all versions of the secret. | ||
| message RemoveSecretRequest { | ||
| string secret_id = 1 [(gogoproto.customname) = "SecretID"]; | ||
| } |
There was a problem hiding this comment.
Agreed - consistency first.
It makes sense, but if we want to do it, we should do it across the board on every other Remove* request so it's outside of the scope of this PR.
| Annotations annotations = 1 [(gogoproto.nullable) = false]; | ||
|
|
||
| // Secret payload. | ||
| bytes data = 2; |
There was a problem hiding this comment.
nit: naming? Not opposed to data but wondering if someone has a better name in mind (@stevvooe ?)
nit: Add a comment to data to explain the maximum allowed length
There was a problem hiding this comment.
This is as good as anything.
There was a problem hiding this comment.
data it is - discard that comment
There was a problem hiding this comment.
Included a max size constant in the secrets.go control API stub, and added a comment here.
Add a Secret top-level object type. Add a SecretReference that allows a service to reference the secrets it needs. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
…ipulating secrets. Also update some of the object protos to make things easier to look up. Signed-off-by: cyli <cyli@twistedmatrix.com>
Signed-off-by: cyli <cyli@twistedmatrix.com>
…ets and max number of secret versions. Also add dispatcher protos for secrets. Signed-off-by: cyli <cyli@twistedmatrix.com>
Signed-off-by: cyli <cyli@twistedmatrix.com>
Signed-off-by: cyli <cyli@twistedmatrix.com>
…terface Signed-off-by: cyli <cyli@twistedmatrix.com>
This does not include any implementation yet - the goal is: