Adding a new flag to the deploy command and the related new functionality in order to support the collecting of secrets and sending them to the backend #252
Conversation
…lity in order to support the collecting of secrets and sending them to the backend LMCROSSITXSADEPLOY-2301
| Deploy a multi-target app archive referenced by a remote URL | ||
| <write MTA archive URL to STDOUT> | cf deploy [-e EXT_DESCRIPTOR[,...]] [-t TIMEOUT] [--version-rule VERSION_RULE] [-u MTA_CONTROLLER_URL] [--retries RETRIES] [--no-start] [--namespace NAMESPACE] [--apply-namespace-app-names true/false] [--apply-namespace-service-names true/false] [--apply-namespace-app-routes true/false] [--apply-namespace-as-suffix true/false ] [--delete-services] [--delete-service-keys] [--delete-service-brokers] [--keep-files] [--no-restart-subscribed-apps] [--do-not-fail-on-missing-permissions] [--abort-on-error] [--strategy STRATEGY] [--skip-testing-phase] [--skip-idle-start] [--apps-start-timeout TIMEOUT] [--apps-stage-timeout TIMEOUT] [--apps-upload-timeout TIMEOUT] [--apps-task-execution-timeout TIMEOUT]` + util.UploadEnvHelpText, | ||
| (EXPERIMENTAL) Deploy a multi-target app archive referenced by a remote URL |
There was a problem hiding this comment.
why experimental here?
There was a problem hiding this comment.
Must have added it accidentally - fixed. I have just put it for the new flag, since we have talked about the feature being presented as experimental.
|
|
||
| var jsonObject map[string]interface{} | ||
|
|
||
| err2 := json.Unmarshal([]byte(envValue), &jsonObject) |
There was a problem hiding this comment.
can you reuse err?
There was a problem hiding this comment.
go wants to have a completely new variable on the left side of := and since I already have the "err", it is not letting me
| if GetBoolOpt(requireSecureParameters, flags) { | ||
| // Collect special ENVs: __MTA___<name>, __MTA_JSON___<name>, __MTA_CERT___<name> | ||
| parameters, err := secure_parameters.CollectFromEnv("__MTA") |
There was a problem hiding this comment.
This check happens after the upload of the mtar. Could be optimized so the validation is earlier to avoid unnecessary upload in case of some failure
There was a problem hiding this comment.
thanks for the suggestion, fixed :)
| return result, nil | ||
| } | ||
|
|
||
| func BuildSecureExtension(parameters map[string]ParameterValue, mtaID string, schemaVersion string) ([]byte, error) { |
There was a problem hiding this comment.
extract in a separate file
| if schemaVersion == "" { | ||
| schemaVersion = "3.3" | ||
| } |
There was a problem hiding this comment.
let's not hardcode versions in client
| switch currentParameterValue.Type { | ||
| case typeJSON: | ||
| parametersDescriptor[name] = currentParameterValue.ObjectContent | ||
| default: | ||
| parametersDescriptor[name] = currentParameterValue.StringContent | ||
| } |
There was a problem hiding this comment.
You can add a new method on ParameterValue and use it here (currentParameterValue.getValue())
There was a problem hiding this comment.
fixed, thanks for the suggestion :)
| func CollectFromEnv(prefix string) (map[string]ParameterValue, error) { | ||
| plainValue := prefix + "___" | ||
| jsonValue := prefix + "_JSON___" | ||
| certificateValue := prefix + "_CERT___" //X509value beacuse the certiciates are of type X509 (should be renamed) |
There was a problem hiding this comment.
Improve or remove the comment description
| return nil | ||
| } | ||
|
|
||
| func CollectFromEnv(prefix string) (map[string]ParameterValue, error) { |
There was a problem hiding this comment.
This method is quite long, try to shorten it, split in functions
| ObjectContent map[string]interface{} | ||
| } | ||
|
|
||
| func nameDuplicated(name, prefix string, result map[string]ParameterValue) error { |
There was a problem hiding this comment.
rename to something including "validate"
| envName := nameValuePair[:equalsIndex] | ||
| envValue := nameValuePair[equalsIndex+1:] | ||
|
|
||
| var name string |
There was a problem hiding this comment.
do you need to define here?
There was a problem hiding this comment.
Otherwise I have to define it in each separate case
| func (c *DeployCommand) doesUpsExist(userProvidedServiceName string) (bool, error) { | ||
| servicesOutput, err := c.cliConnection.CliCommandWithoutTerminalOutput("services") | ||
| if err != nil { | ||
| return false, fmt.Errorf("Error while checking if the UPS for secure encryption exists: %w", err) | ||
| } | ||
| stringTable := strings.Join(servicesOutput, "\n") | ||
| return findServiceName(stringTable, userProvidedServiceName), nil |
There was a problem hiding this comment.
Can we call the v3/services here instead a command?
| return true, encryptionKey, nil | ||
| } | ||
|
|
||
| func getRandomEncryptionKey() (string, error) { |
There was a problem hiding this comment.
is there some library that can do this for us?
|
|
||
| userProvidedServiceName := getUpsName(mtaId, namespace) | ||
|
|
||
| isUpsCreated, _, err := c.validateUpsExistsOrElseCreateIt(userProvidedServiceName, "v1") |
There was a problem hiding this comment.
what is the idea of:
"keyId": "v1"
There was a problem hiding this comment.
we have discussed it during the multiapps-controller changes :)
| for i := range encryptionKeyBytes { | ||
| encryptionKeyBytes[i] = alphabet[int(encryptionKeyBytes[i]&63)] | ||
| } | ||
|
|
||
| return string(encryptionKeyBytes), nil |
There was a problem hiding this comment.
Does this really creates a proper 256 bits keys? Why not something like:
func generateAES256Key() ([]byte, error) {
key := make([]byte, 32) // 256 bits
_, err := rand.Read(key)
if err != nil {
return nil, err
}
return string([]byte(fmt.Sprintf("%x", key))), nil
}
Why is alphabet needed?
2 participants
LMCROSSITXSADEPLOY-2301