feat: SecretManagerSecret full test coverage & manual replication field #3371
Conversation
yuwenma
changed the title
| @@ -48,8 +48,7 @@ type SecretManagerSecretSpec struct { | |||
| // This is always provided on output, regardless of what was sent on input. | |||
| ExpireTime *string `json:"expireTime,omitempty"` | |||
|
|
|||
| // Input only. The TTL for the | |||
| // [Secret][google.cloud.secretmanager.v1.Secret]. | |||
| // Input only. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s". | |||
There was a problem hiding this comment.
The TTL is a stale field that causes customers issues: it uses "Now()" when the resource is created that users cannot control or predict.
But since this is already in Beta, we still add the test coverage for it.
Also this change improves the user experience a little bit otherwise they don't now what value to give.
There was a problem hiding this comment.
Ouch. This doesn't feel like a spec field, because if I specify ttl: 60s what is the TTL value in 10 seconds? It seems like it should be 60s, because that is my desired state. But I suspect it will be 50s.
There was a problem hiding this comment.
Yes, this is exactly the problem!
| @@ -26,7 +26,7 @@ if [[ -z "${KUBEBUILDER_ASSETS:-}" ]]; then | |||
| fi | |||
|
|
|||
| if [[ -z "${KCC_USE_DIRECT_RECONCILERS:-}" ]]; then | |||
| KCC_USE_DIRECT_RECONCILERS=ComputeForwardingRule,GKEHubFeatureMembership,SecretManagerSecret,SecretManagerSecretVersion | |||
There was a problem hiding this comment.
The test now covers both legacy controller and direct controller (via alpha direct annotation). we no longer need this
| if secret.Spec.Replication.UserManaged != nil { | ||
| for _, r := range secret.Spec.Replication.UserManaged.Replicas { | ||
| if r.CustomerManagedEncryption != nil { | ||
| kmsKeyRef := r.CustomerManagedEncryption.KmsKeyRef |
There was a problem hiding this comment.
I previously missed this field because I thought it is another field spec.customerManagedEncryption, which is not supported yet in the current released beta API.
There was a problem hiding this comment.
Do we have a fuzz test :-)
yuwenma
force-pushed
the
secret-manager-wip
branch
3 times, most recently
from
08c7091 to
5aa4c54
Compare
yuwenma
force-pushed
the
secret-manager-wip
branch
4 times, most recently
from
16438ad to
c827a86
Compare
yuwenma
force-pushed
the
secret-manager-wip
branch
from
c827a86 to
4e61488
Compare
yuwenma
force-pushed
the
secret-manager-wip
branch
from
4e61488 to
32a002c
Compare
.../resourcefixture/testdata/basic/secretmanager/v1beta1/secretmanagersecretversion/create.yaml
Show resolved
Hide resolved
yuwenma
force-pushed
the
secret-manager-wip
branch
from
d810d99 to
52f0b95
Compare
|
/lgtm |
| @@ -84,6 +84,13 @@ func (s *SecretsV1) populateDefaultsForSecret(ctx context.Context, obj *pb.Secre | |||
| return fmt.Errorf("Aliases cannot be assigned to versions that don't exist") | |||
| } | |||
| } | |||
| // TTL and ExpireTime are OneOf, but the GCP service always converts TTL to expireTime before storing the object. | |||
There was a problem hiding this comment.
This is a reasonable behaviour. Maybe we should deprecate spec.ttl (and replace with spec.initialTTL - although if we are going to do that, we can just change the comment on the field)
| @@ -154,6 +161,10 @@ func (s *SecretsV1) UpdateSecret(ctx context.Context, req *pb.UpdateSecretReques | |||
| updated.Expiration = &pb.Secret_ExpireTime{ | |||
| ExpireTime: req.Secret.GetExpireTime(), | |||
| } | |||
| case "ttl": | |||
| updated.Expiration = &pb.Secret_Ttl{ | |||
| Ttl: req.Secret.GetTtl(), | |||
There was a problem hiding this comment.
Nit: really? I would have assumed it would set Expiration.ExpireTime, just like in create. Still if this is what the logs tell us....
There was a problem hiding this comment.
Actually I don't know if we have test coverage of this in this PR (?). It's not a big deal, because it's a mock (we can fix it when we need it), just that I would have guessed the other way!
In general I think the behaviour of this ttl field is very tricky. Should we reconcile it (meaning secrets never expire)? Should we only apply on create? But if we do that, what happens when the user changes the TTL field in KRM? What happens if they change a different field?
There was a problem hiding this comment.
Yes... here's what the SecertManager server tells us https://screenshot.googleplex.com/9giJXnHPt3nMSwm.png For the log, the respond is always expire time, no ttl whatever the request says. I uploaded the real log in the git-commit
There was a problem hiding this comment.
Oh I see. We set ttl, and then in populateDefaultsForSecret we convert it. I guess that works, because then we can use the shared fieldmask update code at some point in the future!
| @@ -84,6 +84,13 @@ func (s *SecretsV1) populateDefaultsForSecret(ctx context.Context, obj *pb.Secre | |||
| return fmt.Errorf("Aliases cannot be assigned to versions that don't exist") | |||
| } | |||
| } | |||
| // TTL and ExpireTime are OneOf, but the GCP service always converts TTL to expireTime before storing the object. | |||
| if obj.GetTtl() != nil { | |||
| expirateTime := timestamppb.Now().AsTime().Add(obj.GetTtl().AsDuration()) | |||
There was a problem hiding this comment.
Nit: might as well name it the same as the field you're setting, i.e. expireTime
|
|
||
| if paths.Has("ttl") { | ||
| paths = paths.Delete("ttl") | ||
| resource.Expiration = a.actual.Expiration |
There was a problem hiding this comment.
Nit: there should be a comment here, because I don't think this does anything unless expiration is set in paths
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
google-oss-prow
bot
merged commit ff59285
into
GoogleCloudPlatform:master
Improve SecretManager with full test coverage.
2nd git-commit is real gcp
3rd git-commit is mockgcp
Filed #3395 to capture the TTL issue