Adding design doc for to extend the capabilities of secretStores to a global scope #38
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Vishwanath Hiremath <[email protected]>
rynowak
reviewed
Jan 23, 2024
|
|
||
| ## Overview | ||
|
|
||
| Today we have Application.Core/secretStores resource to securely manage secrets for the Application. However a gap exists if user wants to create a secret before application or environment is created. To address this limitation, we need to enhance the capabilities of the existing secretStores resource. The objective is to extend its support to a global scope, enabling users to store secrets prior to the creation of the application or environment. |
There was a problem hiding this comment.
How does the secretstore decide what Kubernetes namespace to use?
There was a problem hiding this comment.
By asking the users to provide resource property in the format of / if secret stores is a global scoped.
There was a problem hiding this comment.
I'm not sure if we're talking about the same thing. Let me try being more specific.
If I create an Applications.Core/secretStores resource today and I don't specify the kubernetes secret name + namespace, then it will use the namespace of the application (or environment).
For the global secret case, there's no application or environment, so there's no way to look up the namespace we're going to use.
There was a problem hiding this comment.
From reading more of the doc, it looks like you did try to address this feedback as part of the proposal. Let's talk about it 👍
Signed-off-by: Vishwanath Hiremath <[email protected]>
kachawla
reviewed
Jan 25, 2024
youngbupark
reviewed
Jan 25, 2024
| name: 'github' | ||
| properties:{ | ||
| - app: app.id | ||
| + resource: <namespace>/<secretName> |
There was a problem hiding this comment.
Alternatively, we might be able to use UCP style resource id instead of using <namespace>/<secretName>
e.g.
/planes/kubernetes/local/namespaces/<namespace>/providers/cores/Secrets/<secretName>"
There was a problem hiding this comment.
In the initial proposal of secretstore, we proposed using full resource id for Azure KeyVault in resource field when it refers to KeyVault Resource.
rynowak
reviewed
Jan 25, 2024
| ### Goals | ||
|
|
||
| - Enable support to extend the capabilities of secretStores to a global scope. | ||
|
|
There was a problem hiding this comment.
Something I am curious about is whether this type should move to UCP. Applications.Core defines it as a part of the Radius RP rather than part of UCP.
There was a problem hiding this comment.
If we have usecases for this type in other parts of UCP then it would be better to rename/move than it would be to have two different secret types.
rynowak
reviewed
Jan 25, 2024
| ## Alternatives considered | ||
|
|
||
| #### Adding default a namespace for global scoped secretstore resource. | ||
| Add a default namespace `global-secretStores` to store the global scoped secretStores. |
There was a problem hiding this comment.
Or we could use radius-system.
rynowak
reviewed
Jan 25, 2024
| name: 'github' | ||
| properties:{ | ||
| - app: app.id | ||
| + resource: <namespace>/<secretName> |
There was a problem hiding this comment.
Let's talk about the semantics of this field.
lakshmimsft
reviewed
Jan 25, 2024
| @doc("The properties of SecretStore") | ||
| model SecretStoreProperties { | ||
| - ...ApplicationScopedResource; | ||
| + ...GlobalScopedResource; |
There was a problem hiding this comment.
since this is new type, pls describe it in detail
Signed-off-by: Vishwanath Hiremath <[email protected]>
kachawla
reviewed
Feb 15, 2024
Signed-off-by: Vishwanath Hiremath <[email protected]>
kachawla
approved these changes
Feb 16, 2024
kachawla
reviewed
Feb 16, 2024
| - Enable support to extend the capabilities of secretStores to a global scope. | ||
|
|
||
| ### Non goals | ||
| - To move secret store resource as part of UCP. |
There was a problem hiding this comment.
@vishwahiremat Please log an issue to revisit this when you get a chance
kachawla
added a commit
to radius-project/radius
that referenced
this pull request
Feb 23, 2024
# Description - Adding changes to support global scope - Remove appliction as a requred property - Create namespace provided by user if not exists - Adding unit tests Design doc: radius-project/design-notes#38 ## Type of change <!-- Please select **one** of the following options that describes your change and delete the others. Clearly identifying the type of change you are making will help us review your PR faster, and is used in authoring release notes. If you are making a bug fix or functionality change to Radius and do not have an associated issue link please create one now. --> - This pull request adds or changes features of Radius and has an approved issue (issue link required). - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). <!-- Please update the following to link the associated issue. This is required for some kinds of changes (see above). --> Fixes: #7030 --------- Signed-off-by: Vishwanath Hiremath <[email protected]> Signed-off-by: Karishma Chawla <[email protected]> Co-authored-by: Karishma Chawla <[email protected]>
willdavsmith
pushed a commit
to willdavsmith/radius
that referenced
this pull request
Feb 23, 2024
…t#7155) # Description - Adding changes to support global scope - Remove appliction as a requred property - Create namespace provided by user if not exists - Adding unit tests Design doc: radius-project/design-notes#38 ## Type of change <!-- Please select **one** of the following options that describes your change and delete the others. Clearly identifying the type of change you are making will help us review your PR faster, and is used in authoring release notes. If you are making a bug fix or functionality change to Radius and do not have an associated issue link please create one now. --> - This pull request adds or changes features of Radius and has an approved issue (issue link required). - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). <!-- Please update the following to link the associated issue. This is required for some kinds of changes (see above). --> Fixes: radius-project#7030 --------- Signed-off-by: Vishwanath Hiremath <[email protected]> Signed-off-by: Karishma Chawla <[email protected]> Co-authored-by: Karishma Chawla <[email protected]> Signed-off-by: willdavsmith <[email protected]>
willdavsmith
pushed a commit
to willdavsmith/radius
that referenced
this pull request
Mar 4, 2024
…t#7155) # Description - Adding changes to support global scope - Remove appliction as a requred property - Create namespace provided by user if not exists - Adding unit tests Design doc: radius-project/design-notes#38 ## Type of change <!-- Please select **one** of the following options that describes your change and delete the others. Clearly identifying the type of change you are making will help us review your PR faster, and is used in authoring release notes. If you are making a bug fix or functionality change to Radius and do not have an associated issue link please create one now. --> - This pull request adds or changes features of Radius and has an approved issue (issue link required). - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). <!-- Please update the following to link the associated issue. This is required for some kinds of changes (see above). --> Fixes: radius-project#7030 --------- Signed-off-by: Vishwanath Hiremath <[email protected]> Signed-off-by: Karishma Chawla <[email protected]> Co-authored-by: Karishma Chawla <[email protected]>
willdavsmith
pushed a commit
to willdavsmith/radius
that referenced
this pull request
Apr 8, 2024
…t#7155) # Description - Adding changes to support global scope - Remove appliction as a requred property - Create namespace provided by user if not exists - Adding unit tests Design doc: radius-project/design-notes#38 ## Type of change <!-- Please select **one** of the following options that describes your change and delete the others. Clearly identifying the type of change you are making will help us review your PR faster, and is used in authoring release notes. If you are making a bug fix or functionality change to Radius and do not have an associated issue link please create one now. --> - This pull request adds or changes features of Radius and has an approved issue (issue link required). - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). <!-- Please update the following to link the associated issue. This is required for some kinds of changes (see above). --> Fixes: radius-project#7030 --------- Signed-off-by: Vishwanath Hiremath <[email protected]> Signed-off-by: Karishma Chawla <[email protected]> Co-authored-by: Karishma Chawla <[email protected]> Signed-off-by: willdavsmith <[email protected]>
Reshrahim
pushed a commit
to Reshrahim/design-notes
that referenced
this pull request
Sep 20, 2024
… global scope (radius-project#38) Doc: https://github.com/radius-project/design-notes/blob/70894efa5cfc2ba22d445da23e0d7325bc4c1883/recipe/2024-01-global-scope-secret-store.md --------- Signed-off-by: Vishwanath Hiremath <[email protected]> Signed-off-by: Reshma Abdul Rahim <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Doc: https://github.com/radius-project/design-notes/blob/70894efa5cfc2ba22d445da23e0d7325bc4c1883/recipe/2024-01-global-scope-secret-store.md