Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: on validate command, validate that all secrets are tagged #695

Merged
merged 1 commit into from
Aug 20, 2024
Merged

feat: on validate command, validate that all secrets are tagged #695

merged 1 commit into from
Aug 20, 2024

Conversation

quoral
Copy link
Contributor

@quoral quoral commented Aug 19, 2024

This loops through all environments defined in the cloud run yaml file.
If it contains secretKeyRef, (i.e referencing a GCP Secret Manager
Secret) it will go through all fields in the Golang Config to find the
matching environment name field.

If that field is not tagged as secret, we return an error.

This is only run on -validate but is a breaking change for that command.

@quoral quoral requested a review from a team as a code owner August 19, 2024 16:47
odsod
odsod reviewed Aug 19, 2024
View reviewed changes
cloudconfig/config.go Outdated
@@ -38,6 +39,7 @@ type Config struct {
envPrefix string
yamlServiceSpecificationFilename string
optionalSecrets bool
ValidateMistaggedSecrets bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pretty sure we can make this unconfigurable default behavior

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So on second glance, this was the only way I could get this to run as part of only the validate step. If I don't have this configuration, we either have to piggyback on the optionalSecrets config flag, or alert even on startup if the cloudconfig.WithYAMLServiceSpecificationFile has been set.

However, cloudconfig.WithYAMLServiceSpecificationFile isn't only set by the validate, it can also be run as part of local development workflows.

odsod
odsod reviewed Aug 19, 2024
View reviewed changes
cloudconfig/yaml.go Outdated Show resolved Hide resolved
odsod
odsod approved these changes Aug 19, 2024
View reviewed changes
Copy link
Member

@odsod odsod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat refactoring! IMO no need to make this configurable initially, should be safe to have as default (required) behavior to tag secrets as secret

@quoral quoral force-pushed the validate-gcp-secret-tag branch 2 times, most recently from 96bf52a to 11f0525 Compare August 20, 2024 06:46
@quoral
feat: on validate command, validate that all secrets are tagged
a0839b1 
This loops through all environments defined in the cloud run yaml file.
If it contains secretKeyRef, (i.e referencing a GCP Secret Manager
Secret) it will go through all fields in the Golang Config to find the
matching environment name field.

If that field is not tagged as secret, we return an error.

This is only run on `-validate` but is a breaking change for that command.
@quoral quoral force-pushed the validate-gcp-secret-tag branch from 11f0525 to a0839b1 Compare August 20, 2024 06:59
@quoral quoral merged commit 17dd619 into master Aug 20, 2024
1 check passed
@quoral quoral deleted the validate-gcp-secret-tag branch August 20, 2024 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@odsod odsod odsod approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@quoral @odsod