[Fleet] Update secret values (API only) #156806
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
hop-dev
force-pushed
the
update-secret-values
branch
from
697986d to
c31067c
Compare
hop-dev
force-pushed
the
update-secret-values
branch
from
c31067c to
c6ded32
Compare
hop-dev
added
release_note:skip
| @@ -234,6 +234,23 @@ export const validatePackagePolicyConfig = ( | |||
| } | |||
| } | |||
|
|
|||
| if (varDef.secret === true && parsedValue && parsedValue.isSecretRef === true) { | |||
There was a problem hiding this comment.
Validation updated here to accept a secret reference in place of a value, e.g mongo password is a password field, but once a policy is created we only have a secret reference, so we cannot validate the field in the normal way.
There was a problem hiding this comment.
See the updated unit test above for an example
| secretReferences: PolicySecretReference[]; | ||
| secretsToDelete: PolicySecretReference[]; | ||
| }> { | ||
| const { oldPackagePolicy, packagePolicyUpdate, packageInfo, esClient } = opts; |
There was a problem hiding this comment.
This function is the core of the update flow. We extract the secrets from theo ld policy and the new policy, giving us two arrays of secret values and their paths.
We then get the diff of these arrays, we need to know if there are updated secrets which need to be created (toCreate), secrets which are no longer used (toDelete) and unchanged secrets (noChange)
For example, I have a policy with a mongo password, the password is a secret reference with ID 1. We update the password to newValue.
We need toCreate a secret for newValue, toDelete the old secret with ID 1 (if it isn't used by any other policies), and noChange would be empty.
|
Pinging @elastic/fleet (Team:Fleet) |
| ); | ||
| }); | ||
|
|
||
| it('should have correctly deleted the secrets', async () => { |
There was a problem hiding this comment.
Does this test depend on the result of the previous? It would be better to put the secrets verification to the same testcase.
There was a problem hiding this comment.
It does depend on the result of the previous, I think I chose to do this because the previous test already has loads of assertions, and this test requires an ES call and further assertions.
|
Looks good on a high level, added a few comments. |
💚 Build Succeeded
Metrics [docs]Page load bundle
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
kibanamachine
added
v8.9.0
backport:skip
## Summary Part of #154731 Allow secrets to be updated via the API. When a secret value is updated, the secret reference is replaced with a "raw" value we detect this on the API and create a new secret document. Once a secret reference is updated, we clean up the old secret document if it is not in use by another policy. This check is a simple lookup of the secret_references array on policies. API integration tests updated.
Summary
Part of #154731
Allow secrets to be updated via the API. When a secret value is updated, the secret reference is replaced with a "raw" value we detect this on the API and create a new secret document.
Once a secret reference is updated, we clean up the old secret document if it is not in use by another policy. This check is a simple lookup of the secret_references array on policies.
API integration tests updated.