Allow use of GSM for communal credential secret #458
Conversation
|
|
pkg/meta/annotations.go
Outdated
| // This is a feature flag for accessing the secrets configured in Google Secret Manager. | ||
| // This is set to true by default to let the verticadb running cluster to access the secrets. | ||
| // The value of this annotation is treated as a boolean. | ||
| GcpGsmAnnotation = "vertica.com/gcpgsmaccess" |
There was a problem hiding this comment.
Suggest using '-' to make the annotation more readable:
| GcpGsmAnnotation = "vertica.com/gcpgsmaccess" | |
| GcpGsmAnnotation = "vertica.com/use-gcp-secret-manager" |
There was a problem hiding this comment.
Changed the annotation
pkg/meta/annotations.go
Outdated
| // UseGCPSecretManager returns true nk all admin commands should use the vclusterOps | ||
| // library rather than admintools. |
There was a problem hiding this comment.
Looks like a copy/paste error
| // UseGCPSecretManager returns true nk all admin commands should use the vclusterOps | |
| // library rather than admintools. | |
| // UseGCPSecretManager returns true if access to the communal secret should go | |
| // through Google's secret manager rather the fetching the secret from k8s meta-data. |
There was a problem hiding this comment.
Added the appropriate comments
pkg/meta/annotations.go
Outdated
| @@ -37,6 +37,12 @@ const ( | |||
| // treated as a boolean. | |||
| VClusterOpsAnnotation = "vertica.com/vcluster-ops" | |||
| VClusterOpsAnnotationTrue = "true" | |||
|
|
|||
| // This is a feature flag for accessing the secrets configured in Google Secret Manager. | |||
| // This is set to true by default to let the verticadb running cluster to access the secrets. | |||
There was a problem hiding this comment.
The default is false, but it's picked when calling the helper function. I would suggest removing this comment line all together then.
| // This is set to true by default to let the verticadb running cluster to access the secrets. |
There was a problem hiding this comment.
The default value is changed to false now and removed the comment about the same
pkg/controllers/vdb/init_db.go
Outdated
| @@ -269,12 +279,55 @@ func (g *GenericDatabaseInitializer) setKerberosAuthParms() { | |||
| g.ConfigurationParams.Set("KerberosEnableKeytabPermissionCheck", "0") | |||
| } | |||
|
|
|||
| func (g *GenericDatabaseInitializer) setAuthFromGCSSecret(ctx context.Context) (string, ctrl.Result, error) { | |||
| name := "projects/otl-ot2-int-sb/secrets/new_vertica_secret/versions/1" | |||
There was a problem hiding this comment.
This name should come from the vdb.Spec.Communal.CredentialSecret
There was a problem hiding this comment.
Introduced the annotations to read the project id and secret name
pkg/controllers/vdb/init_db.go
Outdated
|
|
||
| result, err := client.AccessSecretVersion(ctx, req) | ||
| if err != nil { | ||
| g.Log.Info("google: could not find default credentials") |
There was a problem hiding this comment.
What does the error message mean? What are default credentials
There was a problem hiding this comment.
Updated with appropriate error message
pkg/controllers/vdb/init_db.go
Outdated
| @@ -65,6 +70,11 @@ type GenericDatabaseInitializer struct { | |||
| ConfigurationParams *vtypes.CiMap | |||
| } | |||
|
|
|||
| type GcpSecret struct { | |||
There was a problem hiding this comment.
Lets not export this struct. Also, secret is too generic. Lets call out the fact that it's for credentials.
| type GcpSecret struct { | |
| type gcpCredentialSecret struct { |
There was a problem hiding this comment.
This comment is obsolete now as I changed it to map[string]string{} and this struct is no more present
pkg/controllers/vdb/init_db.go
Outdated
| Accesskey string | ||
| Secretkey string |
There was a problem hiding this comment.
Does this need to have specific field names, or could we have used something more generic like map[string]string instead?
There was a problem hiding this comment.
Removed the struct and introduced map
pkg/controllers/vdb/init_db.go
Outdated
| @@ -65,6 +70,11 @@ type GenericDatabaseInitializer struct { | |||
| ConfigurationParams *vtypes.CiMap | |||
| } | |||
|
|
|||
| type GcpSecret struct { | |||
| Accesskey string | |||
There was a problem hiding this comment.
Depending on other comments, this may not apply anymore. But I'm including it here so I don't forget... since we use struct to unmarshal JSON, we should have JSON style comments attached with it.
| Accesskey string | |
| Accesskey string ``json:"accesskey"` |
There was a problem hiding this comment.
This comment is obsolete now as I changed it to map[string]string{} and this struct is no more present
pkg/controllers/vdb/init_db.go
Outdated
| } | ||
|
|
||
| var gs GcpSecret | ||
| err = json.Unmarshal([]byte(string(result.Payload.Data)), &gs) |
There was a problem hiding this comment.
What data type is result.Payload.Data?
There was a problem hiding this comment.
I think uint8 is the same as byte. Can we just pass in the payload without a cast?
There was a problem hiding this comment.
No casting is done
pkg/controllers/vdb/init_db.go
Outdated
|
|
||
| result, err := client.AccessSecretVersion(ctx, req) | ||
| if err != nil { | ||
| g.Log.Info("google: could not find default credentials") |
There was a problem hiding this comment.
Where is it supposed to find the credentials? By credentials do you mean credentials for the GCP account?
There was a problem hiding this comment.
It is my understanding that the host where the operator runs has a profile setup to allow it access to the GSM.
There was a problem hiding this comment.
Added the proper logs now
pkg/controllers/vdb/init_db.go
Outdated
| name := "projects/" + g.Vdb.Annotations[meta.GcpProjectIDAnnotation] + | ||
| "/secrets/" + g.Vdb.Annotations[meta.GcpSecNameAnnontation] + | ||
| "/versions/" + g.Vdb.Annotations[meta.GcpSecVersionAnnotation] |
There was a problem hiding this comment.
We shouldn't use annotations to come up with then secret name. We already have a field in the VerticaDB CR for the name and should use that: spec.communal.credentialSecret
There was a problem hiding this comment.
Removed the new annotations and used the existing credentialSecret for GSM as well
pkg/controllers/vdb/init_db.go
Outdated
| crc32c := crc32.MakeTable(crc32.Castagnoli) | ||
| checksum := int64(crc32.Checksum(result.Payload.Data, crc32c)) | ||
| if checksum != *result.Payload.DataCrc32C { | ||
| return "", ctrl.Result{}, err |
There was a problem hiding this comment.
err is still nil here I believe.
| @@ -15,10 +15,16 @@ apiVersion: vertica.com/v1beta1 | |||
| kind: VerticaDB | |||
| metadata: | |||
| name: verticadb-sample | |||
| annotations: | |||
There was a problem hiding this comment.
Lets not update this file. This is used to build example text in the CSV -- you see it on opeatorhub.io for instance.
There was a problem hiding this comment.
no change in this file now
spilchen
changed the title
pkg/meta/annotations.go
Outdated
| // This is a feature flag for accessing the secrets configured in Google Secret Manager. | ||
| // The value of this annotation is treated as a boolean. | ||
| GcpGsmAnnotation = "vertica.com/use-gcp-secret-manager" | ||
| GcpGsmAnnotationTrue = "true" |
There was a problem hiding this comment.
Do we need these? I don't see it being used anywhere.
There was a problem hiding this comment.
These should be supplied in the yaml file to return true from UseGCPSecretManager so that it fetches gsm secrets.
There was a problem hiding this comment.
But do we need this const defined in the code here? Where do we use it?
There was a problem hiding this comment.
Removed the GcpGsmAnnotationTrue constant, as we can directly supply value true from the yaml file
pkg/controllers/vdb/init_db.go
Outdated
| return res, err | ||
| if meta.UseGCPSecretManager(g.Vdb.Annotations) { | ||
| auth, res, err := g.setAuthFromGCSSecret(ctx) | ||
| if err != nil { |
There was a problem hiding this comment.
We need to check res. Lets use the helper we have:
| if err != nil { | |
| if verrors.IsReconcileAborted { |
There was a problem hiding this comment.
Added as suggested
pkg/controllers/vdb/init_db.go
Outdated
| crc32c := crc32.MakeTable(crc32.Castagnoli) | ||
| checksum := int64(crc32.Checksum(result.Payload.Data, crc32c)) | ||
| if checksum != *result.Payload.DataCrc32C { | ||
| return "", ctrl.Result{}, err |
There was a problem hiding this comment.
I know we talked about this on teams, but the code here looks wrong. I think my suggestion will solve it.
pkg/controllers/vdb/init_db.go
Outdated
| defer client.Close() | ||
|
|
||
| req := &secretmanagerpb.AccessSecretVersionRequest{ | ||
| Name: name, |
There was a problem hiding this comment.
Suggest removal of the name parameter:
| Name: name, | |
| Name: g.Vdb.Spec.Communal.CredentialSecret, |
There was a problem hiding this comment.
removed the name variable
| @@ -15,12 +15,13 @@ apiVersion: vertica.com/v1beta1 | |||
| kind: VerticaDB | |||
| metadata: | |||
| name: verticadb-sample | |||
|
|
|||
There was a problem hiding this comment.
minor nit: can we just undo the changes in here entirely. I know semantically nothing changed, I would prefer if this file didn't change at all
There was a problem hiding this comment.
No changes now in the file
This upgrades go to version 1.20. This is needed to be compatible with a future change to the vclusterOps library.
pkg/controllers/vdb/init_db.go
Outdated
|
|
||
| err = json.Unmarshal([]byte(string(result.Payload.Data)), &GcpCred) | ||
| if err != nil { | ||
| return "", ctrl.Result{}, fmt.Errorf("checksum failure, expected %d but got %d", *result.Payload.DataCrc32C, checksum) |
There was a problem hiding this comment.
The error text does make sense here. Is this a copy+paste error?
pkg/controllers/vdb/init_db.go
Outdated
| return "", ctrl.Result{Requeue: true}, nil | ||
| } | ||
|
|
||
| auth := fmt.Sprintf("%s:%s", strings.TrimSuffix(string(accessKey), "\n"), strings.TrimSuffix(string(secretKey), "\n")) |
There was a problem hiding this comment.
Why do you need to strip newlines from the secrets?
There was a problem hiding this comment.
the configuration parameter takes the auth value in terms of accesskey:secretkey, which forming the auth parameter to format in the required format if there are any new lines those needs to be trimmed. I already have checked, if there are new lines in the keys, nothing will happen to the string.
There was a problem hiding this comment.
But did you see a case where a newline was at the end of one of the keys?
There was a problem hiding this comment.
The similar trimming is done in getCommunalAuth for the accesskey and secretkey. Followed the similar way of coding.
|
@sivaalamp we are almost finished with the review. There are just two remaining comments to answer and/or address. |
This is similar to #458 except we read from GSM for the superuser password secret. We use the same feature flag as before. Here is a sample CR to enable it. ``` kind: VerticaDB metadata: name: v annotations: vertica.com/use-gcp-secret-manager: "true" spec: superuserPasswordSecret: <full name of the secret in GSM> ... ``` The name of the GSM secret is taken from the existing `spec.superuserPasswordSecret` field. Note, if GSM is being used we can't use the canary query for health probes as that depends on the superuser password being a k8s secret. Instead, we check if vertica is running by seeing if anyone is listening on the vertica client port. --------- Co-authored-by: Matt Spilchen <[email protected]>
This adds a feature flag to get the secret for the communal credential from google secret manager (GSM) instead of from a k8s secret.
It is off by default. You must set the following annotation in the VerticaDB CR:
The name of the GSM secret is taken from the existing
spec.communal.credentialSecretfield.