Adding a new flag to the deploy command and the related new functionality in order to support the collecting of secrets and sending them to the backend #252
Conversation
…lity in order to support the collecting of secrets and sending them to the backend LMCROSSITXSADEPLOY-2301
| Deploy a multi-target app archive referenced by a remote URL | ||
| <write MTA archive URL to STDOUT> | cf deploy [-e EXT_DESCRIPTOR[,...]] [-t TIMEOUT] [--version-rule VERSION_RULE] [-u MTA_CONTROLLER_URL] [--retries RETRIES] [--no-start] [--namespace NAMESPACE] [--apply-namespace-app-names true/false] [--apply-namespace-service-names true/false] [--apply-namespace-app-routes true/false] [--apply-namespace-as-suffix true/false ] [--delete-services] [--delete-service-keys] [--delete-service-brokers] [--keep-files] [--no-restart-subscribed-apps] [--do-not-fail-on-missing-permissions] [--abort-on-error] [--strategy STRATEGY] [--skip-testing-phase] [--skip-idle-start] [--apps-start-timeout TIMEOUT] [--apps-stage-timeout TIMEOUT] [--apps-upload-timeout TIMEOUT] [--apps-task-execution-timeout TIMEOUT]` + util.UploadEnvHelpText, | ||
| (EXPERIMENTAL) Deploy a multi-target app archive referenced by a remote URL |
There was a problem hiding this comment.
why experimental here?
|
|
||
| var jsonObject map[string]interface{} | ||
|
|
||
| err2 := json.Unmarshal([]byte(envValue), &jsonObject) |
There was a problem hiding this comment.
can you reuse err?
| if GetBoolOpt(requireSecureParameters, flags) { | ||
| // Collect special ENVs: __MTA___<name>, __MTA_JSON___<name>, __MTA_CERT___<name> | ||
| parameters, err := secure_parameters.CollectFromEnv("__MTA") |
There was a problem hiding this comment.
This check happens after the upload of the mtar. Could be optimized so the validation is earlier to avoid unnecessary upload in case of some failure
| return result, nil | ||
| } | ||
|
|
||
| func BuildSecureExtension(parameters map[string]ParameterValue, mtaID string, schemaVersion string) ([]byte, error) { |
There was a problem hiding this comment.
extract in a separate file
| if schemaVersion == "" { | ||
| schemaVersion = "3.3" | ||
| } |
There was a problem hiding this comment.
let's not hardcode versions in client
| switch currentParameterValue.Type { | ||
| case typeJSON: | ||
| parametersDescriptor[name] = currentParameterValue.ObjectContent | ||
| default: | ||
| parametersDescriptor[name] = currentParameterValue.StringContent | ||
| } |
There was a problem hiding this comment.
You can add a new method on ParameterValue and use it here (currentParameterValue.getValue())
| func CollectFromEnv(prefix string) (map[string]ParameterValue, error) { | ||
| plainValue := prefix + "___" | ||
| jsonValue := prefix + "_JSON___" | ||
| certificateValue := prefix + "_CERT___" //X509value beacuse the certiciates are of type X509 (should be renamed) |
There was a problem hiding this comment.
Improve or remove the comment description
| return nil | ||
| } | ||
|
|
||
| func CollectFromEnv(prefix string) (map[string]ParameterValue, error) { |
There was a problem hiding this comment.
This method is quite long, try to shorten it, split in functions
| ObjectContent map[string]interface{} | ||
| } | ||
|
|
||
| func nameDuplicated(name, prefix string, result map[string]ParameterValue) error { |
There was a problem hiding this comment.
rename to something including "validate"
| envName := nameValuePair[:equalsIndex] | ||
| envValue := nameValuePair[equalsIndex+1:] | ||
|
|
||
| var name string |
There was a problem hiding this comment.
do you need to define here?
| func (c *DeployCommand) doesUpsExist(userProvidedServiceName string) (bool, error) { | ||
| servicesOutput, err := c.cliConnection.CliCommandWithoutTerminalOutput("services") | ||
| if err != nil { | ||
| return false, fmt.Errorf("Error while checking if the UPS for secure encryption exists: %w", err) | ||
| } | ||
| stringTable := strings.Join(servicesOutput, "\n") | ||
| return findServiceName(stringTable, userProvidedServiceName), nil |
There was a problem hiding this comment.
Can we call the v3/services here instead a command?
| return true, encryptionKey, nil | ||
| } | ||
|
|
||
| func getRandomEncryptionKey() (string, error) { |
There was a problem hiding this comment.
is there some library that can do this for us?
|
|
||
| userProvidedServiceName := getUpsName(mtaId, namespace) | ||
|
|
||
| isUpsCreated, _, err := c.validateUpsExistsOrElseCreateIt(userProvidedServiceName, "v1") |
There was a problem hiding this comment.
what is the idea of:
"keyId": "v1"
| for i := range encryptionKeyBytes { | ||
| encryptionKeyBytes[i] = alphabet[int(encryptionKeyBytes[i]&63)] | ||
| } | ||
|
|
||
| return string(encryptionKeyBytes), nil |
There was a problem hiding this comment.
Does this really creates a proper 256 bits keys? Why not something like:
func generateAES256Key() ([]byte, error) {
key := make([]byte, 32) // 256 bits
_, err := rand.Read(key)
if err != nil {
return nil, err
}
return string([]byte(fmt.Sprintf("%x", key))), nil
}
Why is alphabet needed?
2 participants
LMCROSSITXSADEPLOY-2301