Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto generated pipelines should have access to test keyvaults #3741

Closed
deyaaeldeen opened this issue Jul 25, 2022 · 7 comments
Closed

Auto generated pipelines should have access to test keyvaults #3741

deyaaeldeen opened this issue Jul 25, 2022 · 7 comments
Labels
Central-EngSys This issue is owned by the Engineering System team.

Comments

@deyaaeldeen
Copy link
Member

Required keyvaults are supposed to be linked by default for live test when pipelines are auto generated by pipeline generator
@deyaaeldeen deyaaeldeen added the Central-EngSys This issue is owned by the Engineering System team. label Jul 25, 2022
@azure-sdk azure-sdk moved this to 🤔Triage in Azure SDK EngSys 🤖🧠 Jul 25, 2022
@weshaggard
Copy link
Member

@deyaaeldeen can you please give an example of which needed secrets are missing? We do try to hook up the secrets but maybe there is a new required one missing.

@deyaaeldeen
Copy link
Member Author

@praveenkuttappan has context on this issue but basically an auto-generated pipeline is failing because it apparently doesn't have access to the AzureSDK-TestSecrets2 KV.

@weshaggard
Copy link
Member

OK we should look at what variable group those secrets are in and determine if this is something we can easily fix. If it requires a custom set of secrets for a given pipeline this is not something we can fix generically.

@deyaaeldeen
Copy link
Member Author

The secrets needed are listed in tests.yml: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cognitivelanguage/ai-language-text/tests.yml

@weshaggard
Copy link
Member

Those definitely look unique and specific to that one test pipeline so it will be difficult to automatically handle those cases. Just for context we aren't just giving permissions to a KV in the pipeline we are giving permission to a variable group which needs to explicitly list out the secrets that are needed for the pipeline so when there are pipelines with a custom set of secrets needed that will have to be configured manually. I will also add we generally try to avoid needing a custom set of secrets and instead try and generate tokens and such as part of the arm template which can then be controlled by our template provisioning scripts.

@benbp
Copy link
Member

benbp commented Jul 25, 2022
edited
Loading

I'm going to mark this as a duplicate of #2572. @deyaaeldeen I am trying to deprecate all usages of hardcoded secret references in the yaml in favor of either arm/bicep templates as @weshaggard mentioned, or via a subscription configuration.

For the specific pipelines in question, I have added a variable group reference in the pipeline definition for Test Secrets for JS Live Tests (group number 70) which should get them working with the existing secret references.

@benbp benbp closed this as completed Jul 25, 2022
Repository owner moved this from 🤔Triage to 🎊Closed in Azure SDK EngSys 🤖🧠 Jul 25, 2022
@deyaaeldeen
Copy link
Member Author

Thanks a lot @weshaggard and @benbp for the explanations and the help!

@weshaggard weshaggard mentioned this issue Jul 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Central-EngSys This issue is owned by the Engineering System team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benbp @deyaaeldeen @weshaggard