-
Notifications
You must be signed in to change notification settings - Fork 509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets interface cleanup #3842
base: develop
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #3842 +/- ##
========================================
Coverage 15.53% 15.53%
========================================
Files 731 731
Lines 81497 81497
Branches 1087 1087
========================================
Hits 12664 12664
Misses 68833 68833
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
"""The list of secrets known to the operator, or None.""" | ||
return self._secrets | ||
|
||
def register_secrets(self, secrets): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't this allow registering secrets that are not in the plugin definition?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it does. Also true for the current implementation in develop
. It reflects a need for further refactoring as it would be more appropriate for secret registration to be owned by the ExecutionContext
, not the Operator
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current implementation doesn't facilitate users to register unlisted secrets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All I did was rename the add_secrets()
method to register_secrets()
self.__secrets = {} | ||
self._operator_uri = None | ||
self._resolver = None | ||
class SecretsDictionary(Mapping): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you removing this?!?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The secret resolution logic is now inside ExecutionContext
, and we get the other read-only aspects for free by implementing Mapping
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe we should make it a simple dict. I think we should at least try to make secrets secure and iterate
Change log
operator._plugin_secrets
outside of theOperator
classExecutionContext
, as opposed to being partly inExecutionContext
and partly inSecretsDictionary
Notes
ctx.resolve_secret_values()
is called. Currently that is not the case, as it also appears to be necessary forctx.secrets
to dynamically resolve secrets. That behavior is maintained in this PR (although all secrets are resolved in a batch the first timectx.secrets
is accessed, rather than resolving one-by-one).