Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Svidstore gcp region #5718

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Svidstore gcp region #5718

wants to merge 7 commits into from
+84 −5

Conversation

jenshornan
Copy link

Pull Request check list

  • [X ] Commit conforms to CONTRIBUTING.md?
  • [ X] Proper tests/regressions included?
  • [ X] Documentation updated?

Affected functionality

Now you are able to specify the region the secret gets created in

Description of change

Add new selector called region. If no region selector is given it will be the old behavior to create a global secret.

Which issue this PR fixes

fixes #5717

@jenshornan
Add support for regions
844197f 
Signed-off-by: Jens Hörnström <[email protected]>
@jenshornan
Add support for regions
a747105 
Signed-off-by: Jens Hörnström <[email protected]>
@jenshornan
Add support for multiple regions
b00897c 
Signed-off-by: Jens Hörnström <[email protected]>
@MarcosDY MarcosDY self-assigned this Dec 16, 2024
@jenshornan
Copy link
Author

Sorry for failing test. Should be fixed now.

sorindumitru
sorindumitru reviewed Jan 3, 2025
View reviewed changes
pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud.go
Automatic: &secretmanagerpb.Replication_Automatic{},
},
},
Replication: opt.replication,
Copy link
Contributor

@sorindumitru sorindumitru Jan 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only done if the secret is not found. If a secret already exists and the list of locations changed, then we wouldn't be updating the secret with the new list. We probably need to call UpdateSecret in those cases.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although I see that the replication cannot be changed after the secret has been created, based on the comments in https://pkg.go.dev/cloud.google.com/go/[email protected]/apiv1/secretmanagerpb#Secret.

I don't know if deleting and recreating it would work, if it doesn't we'd need to at least log something to inform the user.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarcosDY What do you think, should we attempt to delete and recreate? That might end up being bad user experience, i imagine the secret with the X509-SVID will dissapear for a short amount of time.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a possibility. I do think Replication field is immutable. So in the case someone change it we will need to destroy and then re-create the secret with the new location setting.

Dont know do if appending more regions to the list of regions would be possible as an update...

Maybe easier to just destory and re-create in both cases?

I can look in to it.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry did not refresh so I missed you follow up comment will wait for a decision. Also to take in to consideration is that it might create IAM problems for the user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sorindumitru sorindumitru sorindumitru left review comments

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@MarcosDY MarcosDY

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

svidstore gcp_secretmanager Support regions
3 participants
@jenshornan @sorindumitru @MarcosDY