Lazy Secret Pull Tag

[claire1618]

I am changing the types code to add a tag "pull" to secrets that can be set to either "always" or "on_start" to implement changes that correspond with this issue: #196

Example:

secrets:
  - name: foo
    key: go-vela/docs/foo
    engine: native
    type: repo
    pull: on_start

Setting pull to on_start ensures that secrets are pulled when the underlying step starts, and setting the pull to always is the current behavior of pulling secrets at the beginning of the build.

However, we think "on_start" and "always" might not be the best terms to use, so we have come up with three other possible options.

[JordanSussman]

Do you have some thoughts on how the new retrieval logic will work when multiple steps are consuming the same secret? Suppose a pipeline that looks like the following:

secrets:
  - name: foo
    key: go-vela/docs/foo
    engine: native
    type: repo
    pull: on_start

steps:
  - name: first
    image: alpine:latest
    secrets: [foo]
    commands:
      - echo "foo"
      - sleep 60

  - name: second
    image: alpine:latest
    secrets: [foo]
    commands:
      - echo "bar"

Will the foo secret be pulled once or twice? I would advocate for re-pulling the secret in every consuming step to accommodate long running pipelines that want the most updated secret value.

[wass3rw3rk]

Thanks for the question. I think the plan was to re-pull on every consuming step at this time. We could make it less expensive if we did something like conditional requests via etags which of course has its own complexities.

[JordanSussman]

I think the plan was to re-pull on every consuming step at this time.

No objections with moving forward with a simple re-pull.