-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSS-4936 Postgres as secret backend #1011
Changes from all commits
332a8bf
35dbbba
f386ea9
4ff622d
b2ba450
0efd132
f86dcc5
3f5c7f8
a1e669b
8844dff
8895228
cd95ba8
c63238d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,7 +21,20 @@ | |
"public-key": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=", | ||
"private-key": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=", | ||
"vault-access-address": "10.0.1.123", | ||
"audit-log-retention-period-in-days": "10", | ||
} | ||
|
||
EXPECTED_ENV = { | ||
"CANDID_URL": "test-candid-url", | ||
"JIMM_DASHBOARD_LOCATION": "https://jaas.ai/models", | ||
"JIMM_DNS_NAME": "juju-jimm-k8s-0.juju-jimm-k8s-endpoints.None.svc.cluster.local", | ||
"JIMM_ENABLE_JWKS_ROTATOR": "1", | ||
"JIMM_LISTEN_ADDR": ":8080", | ||
"JIMM_LOG_LEVEL": "info", | ||
"JIMM_UUID": "1234567890", | ||
"JIMM_WATCH_CONTROLLERS": "1", | ||
"PRIVATE_KEY": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=", | ||
"PUBLIC_KEY": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=", | ||
"JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS": "0", | ||
} | ||
|
||
|
||
|
@@ -71,19 +84,7 @@ def test_on_pebble_ready(self): | |
"startup": "disabled", | ||
"override": "replace", | ||
"command": "/root/jimmsrv", | ||
"environment": { | ||
"CANDID_URL": "test-candid-url", | ||
"JIMM_DASHBOARD_LOCATION": "https://jaas.ai/models", | ||
"JIMM_DNS_NAME": "juju-jimm-k8s-0.juju-jimm-k8s-endpoints.None.svc.cluster.local", | ||
"JIMM_ENABLE_JWKS_ROTATOR": "1", | ||
"JIMM_LISTEN_ADDR": ":8080", | ||
"JIMM_LOG_LEVEL": "info", | ||
"JIMM_UUID": "1234567890", | ||
"JIMM_WATCH_CONTROLLERS": "1", | ||
"JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS": "10", | ||
"PRIVATE_KEY": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=", | ||
"PUBLIC_KEY": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=", | ||
}, | ||
"environment": EXPECTED_ENV, | ||
} | ||
} | ||
}, | ||
|
@@ -110,19 +111,37 @@ def test_on_config_changed(self): | |
"startup": "disabled", | ||
"override": "replace", | ||
"command": "/root/jimmsrv", | ||
"environment": { | ||
"CANDID_URL": "test-candid-url", | ||
"JIMM_DASHBOARD_LOCATION": "https://jaas.ai/models", | ||
"JIMM_DNS_NAME": "juju-jimm-k8s-0.juju-jimm-k8s-endpoints.None.svc.cluster.local", | ||
"JIMM_ENABLE_JWKS_ROTATOR": "1", | ||
"JIMM_LISTEN_ADDR": ":8080", | ||
"JIMM_LOG_LEVEL": "info", | ||
"JIMM_UUID": "1234567890", | ||
"JIMM_WATCH_CONTROLLERS": "1", | ||
"JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS": "10", | ||
"PRIVATE_KEY": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=", | ||
"PUBLIC_KEY": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=", | ||
}, | ||
"environment": EXPECTED_ENV, | ||
} | ||
} | ||
}, | ||
) | ||
|
||
def test_postgres_secret_storage_config(self): | ||
container = self.harness.model.unit.get_container("jimm") | ||
self.harness.charm.on.jimm_pebble_ready.emit(container) | ||
|
||
self.harness.update_config(MINIMAL_CONFIG) | ||
self.harness.update_config({"postgres-secret-storage": True}) | ||
self.harness.set_leader(True) | ||
|
||
# Emit the pebble-ready event for jimm | ||
self.harness.charm.on.jimm_pebble_ready.emit(container) | ||
|
||
# Check the that the plan was updated | ||
plan = self.harness.get_container_pebble_plan("jimm") | ||
expected_env = EXPECTED_ENV.copy() | ||
expected_env.update({"INSECURE_SECRET_STORAGE": "enabled"}) | ||
self.assertEqual( | ||
plan.to_dict(), | ||
{ | ||
"services": { | ||
"jimm": { | ||
"summary": "JAAS Intelligent Model Manager", | ||
"startup": "disabled", | ||
"override": "replace", | ||
"command": "/root/jimmsrv", | ||
"environment": expected_env, | ||
} | ||
} | ||
}, | ||
|
@@ -146,7 +165,8 @@ def test_bakery_configuration(self): | |
|
||
# Emit the pebble-ready event for jimm | ||
self.harness.charm.on.jimm_pebble_ready.emit(container) | ||
|
||
expected_env = EXPECTED_ENV.copy() | ||
expected_env.update({"BAKERY_AGENT_FILE": "/root/config/agent.json"}) | ||
# Check the that the plan was updated | ||
plan = self.harness.get_container_pebble_plan("jimm") | ||
self.assertEqual( | ||
|
@@ -158,20 +178,7 @@ def test_bakery_configuration(self): | |
"startup": "disabled", | ||
"override": "replace", | ||
"command": "/root/jimmsrv", | ||
"environment": { | ||
"BAKERY_AGENT_FILE": "/root/config/agent.json", | ||
"CANDID_URL": "test-candid-url", | ||
"JIMM_DASHBOARD_LOCATION": "https://jaas.ai/models", | ||
"JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS": "0", | ||
"JIMM_DNS_NAME": "juju-jimm-k8s-0.juju-jimm-k8s-endpoints.None.svc.cluster.local", | ||
"JIMM_ENABLE_JWKS_ROTATOR": "1", | ||
"JIMM_LISTEN_ADDR": ":8080", | ||
"JIMM_LOG_LEVEL": "info", | ||
"JIMM_UUID": "1234567890", | ||
"JIMM_WATCH_CONTROLLERS": "1", | ||
"PRIVATE_KEY": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=", | ||
"PUBLIC_KEY": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=", | ||
}, | ||
"environment": expected_env, | ||
} | ||
} | ||
}, | ||
|
@@ -189,6 +196,34 @@ def test_bakery_configuration(self): | |
}, | ||
) | ||
|
||
def test_audit_log_retention_config(self): | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added this test as I noticed nothing was testing it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ahhh ty |
||
container = self.harness.model.unit.get_container("jimm") | ||
self.harness.charm.on.jimm_pebble_ready.emit(container) | ||
|
||
self.harness.update_config(MINIMAL_CONFIG) | ||
self.harness.update_config({"audit-log-retention-period-in-days": "10"}) | ||
|
||
# Emit the pebble-ready event for jimm | ||
self.harness.charm.on.jimm_pebble_ready.emit(container) | ||
expected_env = EXPECTED_ENV.copy() | ||
expected_env.update({"JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS": "10"}) | ||
# Check the that the plan was updated | ||
plan = self.harness.get_container_pebble_plan("jimm") | ||
self.assertEqual( | ||
plan.to_dict(), | ||
{ | ||
"services": { | ||
"jimm": { | ||
"summary": "JAAS Intelligent Model Manager", | ||
"startup": "disabled", | ||
"override": "replace", | ||
"command": "/root/jimmsrv", | ||
"environment": expected_env, | ||
} | ||
} | ||
}, | ||
) | ||
|
||
def test_dashboard_relation_joined(self): | ||
harness = Harness(JimmOperatorCharm) | ||
self.addCleanup(harness.cleanup) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -43,10 +43,13 @@ services: | |
# Not needed for local test (yet). | ||
# BAKERY_AGENT_FILE: "" | ||
JIMM_ADMINS: "[email protected]" | ||
# Note: You can comment out the Vault ENV vars below and instead use INSECURE_SECRET_STORAGE to place secrets in Postgres. | ||
VAULT_ADDR: "http://vault:8200" | ||
VAULT_PATH: "/jimm-kv/" | ||
VAULT_SECRET_FILE: "/vault/approle.json" | ||
VAULT_AUTH_PATH: "/auth/approle/login" | ||
# Note: By default we should use Vault as that is the primary means of secret storage. | ||
# INSECURE_SECRET_STORAGE: "enabled" | ||
kian99 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
# JIMM_DASHBOARD_LOCATION: "" | ||
JIMM_DNS_NAME: "jimm.localhost" | ||
JIMM_WATCH_CONTROLLERS: "" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -70,7 +70,7 @@ func (d *Database) Migrate(ctx context.Context, force bool) error { | |
} | ||
|
||
for { | ||
v := dbmodel.Version{Component: dbmodel.Component} | ||
v := dbmodel.Version{Component: dbmodel.Component, Major: 1, Minor: 0} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So to quickly discuss the changes to the migrations, when I added a migration it didn't take effect because the code didn't quite work right. Essentially the problem boiled down to the fact that our first migration was 0_0 and the default value for the struct/DB was also 0 so we had no way of knowing if a migration had taken place after the initial one was done. So the simplest solution is to start our migrations from 1. That is why you will notice our migrations now start at 1_1. This change is best left to feature-rebac since we haven't deployed it (for our staging deploy I can manually tweak things in the DB) and the schema is different to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sounds good to me, but I'm not sure how we were able to migrate up to this point? Perhaps discuss this in standup later / explain it as I don't think I fully understand. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The first migration worked, but the second wouldn't. At the end of the first migration there was a line |
||
if err := db.FirstOrCreate(&v).Error; err != nil { | ||
return errors.E(op, dbError(err)) | ||
} | ||
|
@@ -80,10 +80,11 @@ func (d *Database) Migrate(ctx context.Context, force bool) error { | |
atomic.StoreUint32(&d.migrated, 1) | ||
return nil | ||
} | ||
if v.Major != dbmodel.Major && !force && v.Major != 0 { | ||
if v.Major != dbmodel.Major && !force { | ||
return errors.E(op, errors.CodeServerConfiguration, fmt.Sprintf("database has incompatible version %d.%d", v.Major, v.Minor)) | ||
} | ||
// The major versions are unchanged, the database can be migrated. | ||
v.Minor += 1 | ||
schema, err := dbmodel.SQL.ReadFile(path.Join("sql", db.Name(), fmt.Sprintf("%d_%d.sql", v.Major, v.Minor))) | ||
if err != nil { | ||
return errors.E(op, err) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
// Copyright 2023 Canonical Ltd. | ||
|
||
package db | ||
|
||
var ( | ||
JwksKind = jwksKind | ||
JwksPublicKeyTag = jwksPublicKeyTag | ||
JwksPrivateKeyTag = jwksPrivateKeyTag | ||
JwksExpiryTag = jwksExpiryTag | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Drive-by fix for less duplication in the k8s charm tests.