feat(core): Add experimental account storage API #5594
Conversation
clouddriver-web/src/main/groovy/com/netflix/spinnaker/clouddriver/Main.groovy
Outdated
Show resolved
Hide resolved
...pi/src/main/java/com/netflix/spinnaker/clouddriver/security/AccountDefinitionRepository.java
Show resolved
Hide resolved
|
Hey @jvz I'm probably already supposed to know this, but does this PR enable dynamic refresh of the accounts, or are they still loaded only at startup? |
|
Refreshing is done via credentials polling currently. If you enable that, then this gets refreshed along with any other credentials definition sources you have. |
...r-core/src/main/java/com/netflix/spinnaker/clouddriver/security/AccountDefinitionSource.java
Show resolved
Hide resolved
|
Alright, I've updated based on most of the feedback so far. I need to dig a little deeper into the SQL implementation to update the deletion behavior documented in spinnaker/gate#1494 |
...main/kotlin/com/netflix/spinnaker/clouddriver/sql/security/SqlAccountDefinitionRepository.kt
Outdated
Show resolved
Hide resolved
clouddriver-sql/src/main/resources/db/changelog/20210927-accounts.yml
Outdated
Show resolved
Hide resolved
clouddriver-sql/src/main/resources/db/changelog/20210927-accounts.yml
Outdated
Show resolved
Hide resolved
|
I've updated the deletion behavior and made the revision history a little better. I've also removed some unused endpoints in the API. |
|
Thanks @jvz I'm looking forward to taking another look, but at this point I don't think it'll be til the new year. |
|
That's what I expected; just wanted to make sure I finished the PR updates before the same new year before I forgot about them! |
|
Oh, also helps to push this to my fork and not just a private repo. Pushed! |
|
@jvz I'm still struggling to catch up from the flood of messages after being off for awhile...this is still very much on my radar though... |
|
No worries! I just got back from holidays, so I made sure to leave pings where applicable. |
...e/src/main/java/com/netflix/spinnaker/clouddriver/config/AccountDefinitionConfiguration.java
Outdated
Show resolved
Hide resolved
...e/src/main/java/com/netflix/spinnaker/clouddriver/config/AccountDefinitionConfiguration.java
Show resolved
Hide resolved
...e/src/main/java/com/netflix/spinnaker/clouddriver/config/AccountDefinitionConfiguration.java
Show resolved
Hide resolved
| * @param name account name to look up history for | ||
| * @return history of account updates for the given account name | ||
| */ | ||
| List<Revision> revisionHistory(String name); |
...river-web/src/main/java/com/netflix/spinnaker/clouddriver/controllers/AccountController.java
Outdated
Show resolved
Hide resolved
...river-web/src/main/java/com/netflix/spinnaker/clouddriver/controllers/AccountController.java
Outdated
Show resolved
Hide resolved
This adds an experimental API for storing and loading account credentials definitions from an external durable store such as a SQL database. Secrets can be referenced through the existing Kork SecretEngine API which will be fetched on demand. Initial support is for Kubernetes accounts given the lack of existing Kubernetes cluster federation standards compared to other cloud providers, though this API is made generic to allow for other cloud provider APIs to participate in this system.
| var string = super.deserialize(p, ctxt); | ||
| if (EncryptedSecret.isEncryptedSecret(string)) { | ||
| return EncryptedSecret.isEncryptedFile(string) | ||
| ? secretManager.decryptAsFile(string).toString() |
There was a problem hiding this comment.
Should this add a file: prefix, too?
There was a problem hiding this comment.
Apparently that's only used for SAML related files that may be used in gate or fiat, so I'd say this is fine without the file: prefix.
| } | ||
|
|
||
| @GetMapping("/{accountName}/history") | ||
| @PreAuthorize("hasPermission(#accountName, 'ACCOUNT', 'READ')") |
There was a problem hiding this comment.
This should probably be changed to WRITE permissions before being exposed in Gate.
| var string = super.deserialize(p, ctxt); | ||
| if (EncryptedSecret.isEncryptedSecret(string)) { | ||
| return EncryptedSecret.isEncryptedFile(string) | ||
| ? secretManager.decryptAsFile(string).toString() |
There was a problem hiding this comment.
Apparently that's only used for SAML related files that may be used in gate or fiat, so I'd say this is fine without the file: prefix.
...r-web/src/main/java/com/netflix/spinnaker/clouddriver/controllers/CredentialsController.java
Show resolved
Hide resolved
* feat(core): Add experimental account storage API This adds an experimental API for storing and loading account credentials definitions from an external durable store such as a SQL database. Secrets can be referenced through the existing Kork SecretEngine API which will be fetched on demand. Initial support is for Kubernetes accounts given the lack of existing Kubernetes cluster federation standards compared to other cloud providers, though this API is made generic to allow for other cloud provider APIs to participate in this system. * Combine AccountController with CredentialsController * Fix account permissions and add comments * Add alpha annotations * Use correct annotations for rest APIs
* feat(core): Add experimental account storage API This adds an experimental API for storing and loading account credentials definitions from an external durable store such as a SQL database. Secrets can be referenced through the existing Kork SecretEngine API which will be fetched on demand. Initial support is for Kubernetes accounts given the lack of existing Kubernetes cluster federation standards compared to other cloud providers, though this API is made generic to allow for other cloud provider APIs to participate in this system. * Combine AccountController with CredentialsController * Fix account permissions and add comments * Add alpha annotations * Use correct annotations for rest APIs
* feat(core): Add experimental account storage API This adds an experimental API for storing and loading account credentials definitions from an external durable store such as a SQL database. Secrets can be referenced through the existing Kork SecretEngine API which will be fetched on demand. Initial support is for Kubernetes accounts given the lack of existing Kubernetes cluster federation standards compared to other cloud providers, though this API is made generic to allow for other cloud provider APIs to participate in this system. * Combine AccountController with CredentialsController * Fix account permissions and add comments * Add alpha annotations * Use correct annotations for rest APIs
This adds an experimental API for storing and loading account
credentials definitions from an external durable store such as a SQL
database. Secrets can be referenced through the existing Kork
SecretEngine API which will be fetched on demand. Initial support is for
Kubernetes accounts given the lack of existing Kubernetes cluster
federation standards compared to other cloud providers, though this API
is made generic to allow for other cloud provider APIs to participate in
this system.
spinnaker/spinnaker#6525