-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pluggable secret backend #2239
Pluggable secret backend #2239
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package validation | ||
|
||
import "fmt" | ||
|
||
// MaxSecretSize is the maximum byte length of the `Secret.Spec.Data` field. | ||
const MaxSecretSize = 500 * 1024 // 500KB | ||
|
||
// ValidateSecretPayload validates the secret payload size | ||
func ValidateSecretPayload(data []byte) error { | ||
if len(data) >= MaxSecretSize || len(data) < 1 { | ||
return fmt.Errorf("secret data must be larger than 0 and less than %d bytes", MaxSecretSize) | ||
} | ||
return nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,13 @@ | ||
package dispatcher | ||
|
||
import ( | ||
"fmt" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. minor nit: normally there would be a blank line here There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @aaronlehmann fixed. |
||
|
||
"github.com/Sirupsen/logrus" | ||
"github.com/docker/swarmkit/api" | ||
"github.com/docker/swarmkit/api/equality" | ||
"github.com/docker/swarmkit/api/validation" | ||
"github.com/docker/swarmkit/manager/drivers" | ||
"github.com/docker/swarmkit/manager/state/store" | ||
) | ||
|
||
|
@@ -24,15 +28,16 @@ type typeAndID struct { | |
} | ||
|
||
type assignmentSet struct { | ||
dp *drivers.DriverProvider | ||
tasksMap map[string]*api.Task | ||
tasksUsingDependency map[typeAndID]map[string]struct{} | ||
changes map[typeAndID]*api.AssignmentChange | ||
|
||
log *logrus.Entry | ||
log *logrus.Entry | ||
} | ||
|
||
func newAssignmentSet(log *logrus.Entry) *assignmentSet { | ||
func newAssignmentSet(log *logrus.Entry, dp *drivers.DriverProvider) *assignmentSet { | ||
return &assignmentSet{ | ||
dp: dp, | ||
changes: make(map[typeAndID]*api.AssignmentChange), | ||
tasksMap: make(map[string]*api.Task), | ||
tasksUsingDependency: make(map[typeAndID]map[string]struct{}), | ||
|
@@ -53,12 +58,13 @@ func (a *assignmentSet) addTaskDependencies(readTx store.ReadTx, t *api.Task) { | |
if len(a.tasksUsingDependency[mapKey]) == 0 { | ||
a.tasksUsingDependency[mapKey] = make(map[string]struct{}) | ||
|
||
secret := store.GetSecret(readTx, secretID) | ||
if secret == nil { | ||
secret, err := a.secret(readTx, secretID) | ||
if err != nil { | ||
a.log.WithFields(logrus.Fields{ | ||
"secret.id": secretID, | ||
"secret.name": secretRef.SecretName, | ||
}).Debug("secret not found") | ||
"error": err, | ||
}).Error("failed to fetch secret") | ||
continue | ||
} | ||
|
||
|
@@ -245,3 +251,29 @@ func (a *assignmentSet) message() api.AssignmentsMessage { | |
|
||
return message | ||
} | ||
|
||
// secret populates the secret value from raft store. For external secrets, the value is populated | ||
// from the secret driver. | ||
func (a *assignmentSet) secret(readTx store.ReadTx, secretID string) (*api.Secret, error) { | ||
secret := store.GetSecret(readTx, secretID) | ||
if secret == nil { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looks like this is returning any time the local store doesn't have the secret. I still think it's better to check the local store only if driver was not specified. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @cpuguy83 but if a driver was specified, I still need to query the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, I see now. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure I follow: doesn't this function return if the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The secret metadata is still stored in the raft store and must exist there. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @riyazdf, just to clarify, following @cpuguy83 comments, I consolidate all secret fetching functionality to a single function.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
return nil, fmt.Errorf("secret not found") | ||
} | ||
if secret.Spec.Driver == nil { | ||
return secret, nil | ||
} | ||
d, err := a.dp.NewSecretDriver(secret.Spec.Driver) | ||
if err != nil { | ||
return nil, err | ||
} | ||
value, err := d.Get(&secret.Spec) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if err := validation.ValidateSecretPayload(value); err != nil { | ||
return nil, err | ||
} | ||
// Assign the secret | ||
secret.Spec.Data = value | ||
return secret, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might be tracing the code incorrectly but it seems that we could have a non-nil driver with an empty name? See: https://github.com/docker/swarmkit/pull/2239/files#diff-b7cdf7ddfbe8b31d75bc99e8d2d0fa78R58
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @riyazdf, you are right, I modified the create flow accordingly.