-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLOUDP-167207: Validate GCP Service Account Key #1008
Conversation
fd210c4
to
0d9851b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good, just have a few comments and 2 extra thoughts:
-
Does it make sense to have an e2e test to see how an escaped string from an applied yaml would go through the validation?
-
Talking to @igor-karpukhin, we were wondering if makes sense to validate the entire service account object, once Atlas API will check it is really valid and can be used to connect to GCPP.
I am doing some manual testing at the moment before I decide how to proceed there. I am hesitant to add up more to our slow and flaky e2e tests, unless for a very good reason that has no better alternative. I think the validation against the API was not the initial idea. We could do that, even before we deploy anything in the cloud. And that could be a fast e2e test as it is a single check and does not require a cloud resource deployment to take place beforehand. |
8f1e6a6
to
a97952c
Compare
In the end I added the same tests as e2e test as well, but the happy path case is using the format that we can recommend to end users when setting up the keys, just take the service account JSON file from Google and put it, as is, in the CRD YAML as a multiline attribute: apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: Test Atlas Operator Project
encryptionAtRest:
googleCloudKms:
enabled: true
keyVersionResourceID: projects/...
serviceAccountKey: |
{
"type": "service_account",
"project_id": "...",
...
} The only caveat is to respect the indentation, as seen in the example, so that the YAML format knows this file is a document for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good in general 👍 , but let's not separate this test from other "encryption-at-rest" tests
a97952c
to
de01e8d
Compare
Signed-off-by: Jose Vazquez <[email protected]>
de01e8d
to
80ac13c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 👍
All Submissions:
closes #XXXX
in your comment to auto-close the issue that your PR fixes (if there is one).