Merge lp:~axwalk/juju-core/api-disable-secrets-pushing into lp:~go-bot/juju-core/trunk
- api-disable-secrets-pushing
- Merge into trunk
Status: | Merged |
---|---|
Approved by: | Andrew Wilkins |
Approved revision: | no longer in the source branch. |
Merged at revision: | 2126 |
Proposed branch: | lp:~axwalk/juju-core/api-disable-secrets-pushing |
Merge into: | lp:~go-bot/juju-core/trunk |
Diff against target: |
220 lines (+26/-66) 7 files modified
environs/cloudinit_test.go (+0/-1) environs/config.go (+6/-16) environs/config_test.go (+0/-1) juju/api.go (+0/-36) juju/apiconn_test.go (+2/-5) juju/conn_test.go (+18/-6) juju/export_test.go (+0/-1) |
To merge this branch: | bzr merge lp:~axwalk/juju-core/api-disable-secrets-pushing |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Juju Engineering | Pending | ||
Review via email: mp+197673@code.launchpad.net |
Commit message
Remove secrets-pushing for new bootstraps, API
- environs/
secret attributes from configuration. This is
on account of configuration not being populated
into cloud-init config now.
- juju/NewAPIConn now no longer pushes secrets,
as it is not necessary. This was not present in
1.16, so it is not a compatibility concern.
If we're okay with disabling new CLI from initialising
an old juju server, then we can also remove secrets
pushing from juju/NewConn. Doing this would allow us
to drop all notion of "secret attributes".
Description of the change
Remove secrets-pushing for new bootstraps, API
- environs/
secret attributes from configuration. This is
on account of configuration not being populated
into cloud-init config now.
- juju/NewAPIConn now no longer pushes secrets,
as it is not necessary. This was not present in
1.16, so it is not a compatibility concern.
If we're okay with disabling new CLI from initialising
an old juju server, then we can also remove secrets
pushing from juju/NewConn. Doing this would allow us
to drop all notion of "secret attributes".
Andrew Wilkins (axwalk) wrote : | # |
William Reade (fwereade) wrote : | # |
I think we should keep the secret-handling in Conn, until we actually
lose Conn itself -- I'm sure *someone* will make the first connection to
a new env with an old client, and I'd rather not break whoever that
turns out to be.
And I don't think we can drop the notion of secret attrs: (1) we're
still using them in the API server, although that can go any time we
like, but (2) more importantly, we'll need to restrict their display to
non-admin users in the very near future.
On to the review...
William Reade (fwereade) wrote : | # |
This is great, just a few notes. Rog, can you think of any disadvantage
to just pushing the CA private key now?
...or even generating the whole thing on the server side, and never even
putting the key on the user's machine?
https:/
File environs/
https:/
environs/
It concerns me a little that this is increasingly poorly-named, because
it's now about initializing juju not driving cloudinit. Can we just
rename environs/cloudinit and this file (and associated types...) now
please?
https:/
File environs/config.go (left):
https:/
environs/
root CA private key to the cloud.
FWIW, we rather do want to push the CA private key now, because we'll
need to generate new certs for new state servers soon. Maybe not
necessary to change it now.
https:/
File juju/api.go (left):
https:/
juju/api.go:98: }
\o/
https:/
File juju/conn_test.go (right):
https:/
juju/conn_
already.
I think we should still test that Conn still does the dance if it's
required.
Andrew Wilkins (axwalk) wrote : | # |
Please take a look.
https:/
File environs/
https:/
environs/
On 2013/12/04 14:13:09, fwereade wrote:
> It concerns me a little that this is increasingly poorly-named,
because it's now
> about initializing juju not driving cloudinit. Can we just rename
> environs/cloudinit and this file (and associated types...) now please?
Sure. environs/jujuinit?
Can I do this in a followup? There are quite a few files to touch.
https:/
File environs/config.go (left):
https:/
environs/
root CA private key to the cloud.
On 2013/12/04 14:13:09, fwereade wrote:
> FWIW, we rather do want to push the CA private key now, because we'll
need to
> generate new certs for new state servers soon. Maybe not necessary to
change it
> now.
Okay. Regarding your question about "generating the [ca private key] on
the server side": it wouldn't be *too* hard, but it will mean we'll need
to
- update jujud to be able to generate certs/keys, so we can initialise
mongo
- update agent config code to take the cert/key from a file (?)
- update worker/localstorage to generate a new key server-side also.
This would mean threading the CA cert/key through somehow.
Not overly difficult, but I think it warrants a CL to itself.
https:/
File juju/conn_test.go (right):
https:/
juju/conn_
already.
On 2013/12/04 14:13:09, fwereade wrote:
> I think we should still test that Conn still does the dance if it's
required.
Done. Adding the test in is slightly tricky, given that we always have
secrets now. I've gotten around this by modifying provider/dummy to
elide the standard secret if it's set to a special value, and add in
another (unknown attr) secret if it is present. It's a bit ugly - if you
have a better idea of how to do this, please let me know.
Roger Peppe (rogpeppe) wrote : | # |
Looks great. A few remarks below.
https:/
File environs/
https:/
environs/
On 2013/12/04 14:13:09, fwereade wrote:
> It concerns me a little that this is increasingly poorly-named,
because it's now
> about initializing juju not driving cloudinit. Can we just rename
> environs/cloudinit and this file (and associated types...) now please?
I'm not entirely sure. The principal function of this package is to
transform a MachineConfig structure into a cloudinit structure, which
seems quite cloudinit-specific to me and reasonably well focused.
What's changed about this package that leads to to think that it's
changed enough to warrant a rename?
BTW, I could easily see the MachineConfig type moving out of this
package FWIW.
If we *are* to rename this package, then perhaps environs/init might
work - after all it's all juju around here :-)
https:/
File environs/config.go (left):
https:/
environs/
root CA private key to the cloud.
On 2013/12/05 07:40:35, axw wrote:
> On 2013/12/04 14:13:09, fwereade wrote:
> > FWIW, we rather do want to push the CA private key now, because
we'll need to
> > generate new certs for new state servers soon. Maybe not necessary
to change
> it
> > now.
> Okay. Regarding your question about "generating the [ca private key]
on the
> server side": it wouldn't be *too* hard, but it will mean we'll need
to
> - update jujud to be able to generate certs/keys, so we can
initialise mongo
> - update agent config code to take the cert/key from a file (?)
> - update worker/localstorage to generate a new key server-side also.
This would
> mean threading the CA cert/key through somehow.
> Not overly difficult, but I think it warrants a CL to itself.
If we generate the root CA private key on the server side, otherwise how
do we verify that we're talking to the right server when we make our
initial connection? If we don't do key verification then ISTM that we're
vulnerable to a MitM attack even if the transport to the provider API is
secure (if it isn't then all bets are off, of course).
BTW even if we don't push the root CA private key, we can still push a
cert/key that can be used to sign new state server certs - we'd just
need to turn on the delegation flag.
https:/
File juju/conn_test.go (right):
https:/
juju/conn_
already.
On 2013/12/05 07:40:35, axw wrote:
> On 2013/12/04 14:13:09, fwereade wrote:
> > I think we should still test that Conn still does the dance if it's
required.
> Done. Adding the test in is slightly tricky, given that we always have
secrets
> now. I've gotten around this by modifying provider/dummy to elide the
sta...
Andrew Wilkins (axwalk) wrote : | # |
https:/
File juju/conn_test.go (right):
https:/
juju/conn_
already.
On 2013/12/05 13:20:21, rog wrote:
> On 2013/12/05 07:40:35, axw wrote:
> > On 2013/12/04 14:13:09, fwereade wrote:
> > > I think we should still test that Conn still does the dance if
it's
> required.
> >
> > Done. Adding the test in is slightly tricky, given that we always
have secrets
> > now. I've gotten around this by modifying provider/dummy to elide
the standard
> > secret if it's set to a special value, and add in another (unknown
attr)
> secret
> > if it is present. It's a bit ugly - if you have a better idea of how
to do
> this,
> > please let me know.
> Ah, now I understand the dummy thing. Wouldn't it be easier to make
the test
> specifically delete the secret from the config in state after
bootstrapping?
> Would we still need the ugly dummy logic then?
Sadly, it's not really easier. I would prefer to do that, but
SetEnvironConfig in state never removes any old settings, it only
updates. There's a bug about that somewhere, but it's not clear to me
whether this is required behaviour.
https:/
File environs/
https:/
environs/
On 2013/12/05 13:20:21, rog wrote:
> Was this broken before? I thought BootstrapConfig was supposed to
elide secrets.
It used to, but not anymore (that's the primary change).
The assertion here used to be that the config returned by
BootstrapConfig didn't have secrets; the assertion is now that it does.
Roger Peppe (rogpeppe) wrote : | # |
https:/
File juju/conn_test.go (right):
https:/
juju/conn_
already.
On 2013/12/05 15:05:25, axw wrote:
> On 2013/12/05 13:20:21, rog wrote:
> > On 2013/12/05 07:40:35, axw wrote:
> > > On 2013/12/04 14:13:09, fwereade wrote:
> > > > I think we should still test that Conn still does the dance if
it's
> > required.
> > >
> > > Done. Adding the test in is slightly tricky, given that we always
have
> secrets
> > > now. I've gotten around this by modifying provider/dummy to elide
the
> standard
> > > secret if it's set to a special value, and add in another (unknown
attr)
> > secret
> > > if it is present. It's a bit ugly - if you have a better idea of
how to do
> > this,
> > > please let me know.
> >
> > Ah, now I understand the dummy thing. Wouldn't it be easier to make
the test
> > specifically delete the secret from the config in state after
bootstrapping?
> > Would we still need the ugly dummy logic then?
> Sadly, it's not really easier. I would prefer to do that, but
SetEnvironConfig
> in state never removes any old settings, it only updates. There's a
bug about
> that somewhere, but it's not clear to me whether this is required
behaviour.
If that's the problem, rather than the ugly and non-obvious code in
dummy, why not write a little function on State specifically to delete
environment config attributes? We might only use the code in this test,
but at least its purpose would be straightforward and its structure not
predicated on some far removed test.
dummy is already too complex - adding warts like this won't help.
https:/
File environs/config.go (right):
https:/
environs/
config is not suitable
This comment is wrong now because we're not removing all secret
attributes.
Andrew Wilkins (axwalk) wrote : | # |
On 2013/12/05 15:35:09, rog wrote:
> https:/
> File juju/conn_test.go (right):
https:/
> juju/conn_
already.
> On 2013/12/05 15:05:25, axw wrote:
> > On 2013/12/05 13:20:21, rog wrote:
> > > On 2013/12/05 07:40:35, axw wrote:
> > > > On 2013/12/04 14:13:09, fwereade wrote:
> > > > > I think we should still test that Conn still does the dance if
it's
> > > required.
> > > >
> > > > Done. Adding the test in is slightly tricky, given that we
always have
> > secrets
> > > > now. I've gotten around this by modifying provider/dummy to
elide the
> > standard
> > > > secret if it's set to a special value, and add in another
(unknown attr)
> > > secret
> > > > if it is present. It's a bit ugly - if you have a better idea of
how to do
> > > this,
> > > > please let me know.
> > >
> > > Ah, now I understand the dummy thing. Wouldn't it be easier to
make the test
> > > specifically delete the secret from the config in state after
bootstrapping?
> > > Would we still need the ugly dummy logic then?
> >
> > Sadly, it's not really easier. I would prefer to do that, but
SetEnvironConfig
> > in state never removes any old settings, it only updates. There's a
bug about
> > that somewhere, but it's not clear to me whether this is required
behaviour.
> If that's the problem, rather than the ugly and non-obvious code in
dummy, why
> not write a little function on State specifically to delete
environment config
> attributes? We might only use the code in this test, but at least its
purpose
> would be straightforward and its structure not predicated on some far
removed
> test.
> dummy is already too complex - adding warts like this won't help.
Yeah, fair enough.
I'm going to look at fixing
https:/
this once that's done (or shown to take too much time).
> https:/
> File environs/config.go (right):
https:/
> environs/
config is
> not suitable
> This comment is wrong now because we're not removing all secret
attributes.
Well it doesn't say it takes away *all* the secrets ;)
I'll update the comment and repropose when I've fixed the other thing.
Andrew Wilkins (axwalk) wrote : | # |
Please take a look.
William Reade (fwereade) wrote : | # |
Essentially LGTM -- you can land this now, but let's come to a decision
re the CA cert private key and whether we push it during bootstrap, or
enable delegation; and land that followup sooner rather than later. Does
anyone feel strongly either way?
https:/
File environs/
https:/
environs/
On 2013/12/05 13:20:21, rog wrote:
> On 2013/12/04 14:13:09, fwereade wrote:
> > It concerns me a little that this is increasingly poorly-named,
because it's
> now
> > about initializing juju not driving cloudinit. Can we just rename
> > environs/cloudinit and this file (and associated types...) now
please?
> I'm not entirely sure. The principal function of this package is to
transform a
> MachineConfig structure into a cloudinit structure, which seems quite
> cloudinit-specific to me and reasonably well focused.
> What's changed about this package that leads to to think that it's
changed
> enough to warrant a rename?
> BTW, I could easily see the MachineConfig type moving out of this
package FWIW.
> If we *are* to rename this package, then perhaps environs/init might
work -
> after all it's all juju around here :-)
I think we've got our concepts a bit tangled around here. We're treating
cloudinit as the canonical representation and generating different forms
of initialization from one of those, rather than generating an
initialization type and rendering it into a cloudinit form. (That's why
I was grumpy about creating environs/cloudinit in the first place -- I
feared it'd entrench exactly this ill-factoring -- but I guess I didn't
express myself well.)
https:/
File environs/config.go (left):
https:/
environs/
root CA private key to the cloud.
On 2013/12/05 13:20:21, rog wrote:
> On 2013/12/05 07:40:35, axw wrote:
> > On 2013/12/04 14:13:09, fwereade wrote:
> > > FWIW, we rather do want to push the CA private key now, because
we'll need
> to
> > > generate new certs for new state servers soon. Maybe not necessary
to change
> > it
> > > now.
> >
> > Okay. Regarding your question about "generating the [ca private key]
on the
> > server side": it wouldn't be *too* hard, but it will mean we'll need
to
> > - update jujud to be able to generate certs/keys, so we can
initialise mongo
> > - update agent config code to take the cert/key from a file (?)
> > - update worker/localstorage to generate a new key server-side
also. This
> would
> > mean threading the CA cert/key through somehow.
> >
> > Not overly difficult, but I think it warrants a CL to itself.
> If we generate the root CA private key on the server side, otherwise
how do we
> verify that we're talking to the right server when we make our initial
> connection? If we don't do key verification then ISTM that we're
vulnerable to a
> MitM attack even if the transport to the provider API is secur...
Andrew Wilkins (axwalk) wrote : | # |
On 2013/12/09 10:33:10, fwereade wrote:
> Essentially LGTM -- you can land this now, but let's come to a
decision re the
> CA cert private key and whether we push it during bootstrap, or enable
> delegation; and land that followup sooner rather than later. Does
anyone feel
> strongly either way?
Just throwing an alternative out there (based on the "push during
bootstrap" option). It has come up on the mailing list that it would be
useful to operate over SSH, to better deal with restricted access
environments (i.e. so you don't need to use sshuttle.)
So, we could generate the cert/keys entirely server side, and never use
it for the CLI. The CLI could SSH to the machine with a forwarded port
(or multiplex over the stdio), and the API server could allow plaintext
communication to localhost. This way we get SSH proxying, with only SSH
keys stored outside the environment.
https:/
> File environs/
https:/
> environs/
> On 2013/12/05 13:20:21, rog wrote:
> > On 2013/12/04 14:13:09, fwereade wrote:
> > > It concerns me a little that this is increasingly poorly-named,
because it's
> > now
> > > about initializing juju not driving cloudinit. Can we just rename
> > > environs/cloudinit and this file (and associated types...) now
please?
> >
> > I'm not entirely sure. The principal function of this package is to
transform
> a
> > MachineConfig structure into a cloudinit structure, which seems
quite
> > cloudinit-specific to me and reasonably well focused.
> >
> > What's changed about this package that leads to to think that it's
changed
> > enough to warrant a rename?
> >
> > BTW, I could easily see the MachineConfig type moving out of this
package
> FWIW.
> >
> > If we *are* to rename this package, then perhaps environs/init might
work -
> > after all it's all juju around here :-)
> I think we've got our concepts a bit tangled around here. We're
treating
> cloudinit as the canonical representation and generating different
forms of
> initialization from one of those, rather than generating an
initialization type
> and rendering it into a cloudinit form. (That's why I was grumpy about
creating
> environs/cloudinit in the first place -- I feared it'd entrench
exactly this
> ill-factoring -- but I guess I didn't express myself well.)
Fair call. When I did the synchronous bootstrap work, I did start down
the road of creating a new canonical representation. It would've
essentially ended up as a clone of a subset of cloudinit.Config, though,
so it didn't seem worthwhile at the time. It may be worthwhile
revisiting.
> https:/
> File environs/config.go (left):
https:/
> environs/
root CA
> private key to the cloud.
> On 2013/12/05 13:20:21, rog wrote:
> > On 2013/12/05 07:40:35, axw wrote:
> > > On 2013/12/04 14:13:09, fwereade wrote:
> > > > FWIW, w...
John A Meinel (jameinel) wrote : | # |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2013-12-10 6:54, Andrew Wilkins wrote:
> On 2013/12/09 10:33:10, fwereade wrote:
>> Essentially LGTM -- you can land this now, but let's come to a
> decision re the
>> CA cert private key and whether we push it during bootstrap, or
>> enable delegation; and land that followup sooner rather than
>> later. Does
> anyone feel
>> strongly either way?
>
> Just throwing an alternative out there (based on the "push during
> bootstrap" option). It has come up on the mailing list that it
> would be useful to operate over SSH, to better deal with restricted
> access environments (i.e. so you don't need to use sshuttle.)
>
> So, we could generate the cert/keys entirely server side, and never
> use it for the CLI. The CLI could SSH to the machine with a
> forwarded port (or multiplex over the stdio), and the API server
> could allow plaintext communication to localhost. This way we get
> SSH proxying, with only SSH keys stored outside the environment.
>
Pyjuju did that, but it was *not* a good user experience.
'time ssh host' is much longer than TLS.Connect.
"openssl s_time $EC2INSTANCE:17070"
says that I can connect to my EC2 instance 45 times in 31s. (682ms per
connect)
time for i in `seq 10`; do ssh ubuntu@$EC2INSTANCE /bin/false; done
is 39.2s, or 3.92s per connect.
Roughly 5-6 times slower.
So yes, it would be possible, and it might be a mode that we want to
allow you to enable "ssh-tunneling-
But I don't think we want it to be the default mode because the
experience is pretty terrible.
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://
iEYEARECAAYFAlK
DcAAn1lt8YHLMbK
=eVxp
-----END PGP SIGNATURE-----
Andrew Wilkins (axwalk) wrote : | # |
On Thu, Dec 12, 2013 at 1:14 AM, John Arbash Meinel
<email address hidden>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2013-12-10 6:54, Andrew Wilkins wrote:
> > On 2013/12/09 10:33:10, fwereade wrote:
> >> Essentially LGTM -- you can land this now, but let's come to a
> > decision re the
> >> CA cert private key and whether we push it during bootstrap, or
> >> enable delegation; and land that followup sooner rather than
> >> later. Does
> > anyone feel
> >> strongly either way?
> >
> > Just throwing an alternative out there (based on the "push during
> > bootstrap" option). It has come up on the mailing list that it
> > would be useful to operate over SSH, to better deal with restricted
> > access environments (i.e. so you don't need to use sshuttle.)
> >
> > So, we could generate the cert/keys entirely server side, and never
> > use it for the CLI. The CLI could SSH to the machine with a
> > forwarded port (or multiplex over the stdio), and the API server
> > could allow plaintext communication to localhost. This way we get
> > SSH proxying, with only SSH keys stored outside the environment.
> >
>
> Pyjuju did that, but it was *not* a good user experience.
> 'time ssh host' is much longer than TLS.Connect.
>
> "openssl s_time $EC2INSTANCE:17070"
>
> says that I can connect to my EC2 instance 45 times in 31s. (682ms per
> connect)
>
> time for i in `seq 10`; do ssh ubuntu@$EC2INSTANCE /bin/false; done
> is 39.2s, or 3.92s per connect.
>
> Roughly 5-6 times slower.
>
> So yes, it would be possible, and it might be a mode that we want to
> allow you to enable "ssh-tunneling-
> But I don't think we want it to be the default mode because the
> experience is pretty terrible.
>
Yeah, I expected the time to connect would be an issue. I agree that it
probably should be off by default, if we do it at all. The problem can be
mitigated somewhat by having a long-running background process on the CLI
machine that holds an SSH "ControlMaster" socket open; the first connection
will still be slow of course.
John
> =:->
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (Cygwin)
> Comment: Using GnuPG with Thunderbird - http://
>
> iEYEARECAAYFAlK
> DcAAn1lt8YHLMbK
> =eVxp
> -----END PGP SIGNATURE-----
>
Preview Diff
1 | === modified file 'environs/cloudinit_test.go' |
2 | --- environs/cloudinit_test.go 2013-12-03 06:04:43 +0000 |
3 | +++ environs/cloudinit_test.go 2013-12-06 09:49:29 +0000 |
4 | @@ -124,7 +124,6 @@ |
5 | |
6 | oldAttrs["ca-private-key"] = "" |
7 | oldAttrs["admin-secret"] = "" |
8 | - delete(oldAttrs, "secret") |
9 | c.Check(mcfg.Config.AllAttrs(), gc.DeepEquals, oldAttrs) |
10 | srvCertPEM := mcfg.StateServerCert |
11 | srvKeyPEM := mcfg.StateServerKey |
12 | |
13 | === modified file 'environs/config.go' |
14 | --- environs/config.go 2013-11-13 08:15:10 +0000 |
15 | +++ environs/config.go 2013-12-06 09:49:29 +0000 |
16 | @@ -198,27 +198,17 @@ |
17 | return environsFilepath, nil |
18 | } |
19 | |
20 | -// BootstrapConfig returns a copy of the supplied configuration with |
21 | -// secret attributes removed. If the resulting config is not suitable |
22 | -// for bootstrapping an environment, an error is returned. |
23 | +// BootstrapConfig returns a copy of the supplied configuration with the |
24 | +// admin-secret and ca-private-key attributes removed. If the resulting |
25 | +// config is not suitable for bootstrapping an environment, an error is |
26 | +// returned. |
27 | func BootstrapConfig(cfg *config.Config) (*config.Config, error) { |
28 | - p, err := Provider(cfg.Type()) |
29 | - if err != nil { |
30 | - return nil, err |
31 | - } |
32 | - secrets, err := p.SecretAttrs(cfg) |
33 | - if err != nil { |
34 | - return nil, err |
35 | - } |
36 | m := cfg.AllAttrs() |
37 | - for k := range secrets { |
38 | - delete(m, k) |
39 | - } |
40 | - |
41 | // We never want to push admin-secret or the root CA private key to the cloud. |
42 | delete(m, "admin-secret") |
43 | delete(m, "ca-private-key") |
44 | - if cfg, err = config.New(config.NoDefaults, m); err != nil { |
45 | + cfg, err := config.New(config.NoDefaults, m) |
46 | + if err != nil { |
47 | return nil, err |
48 | } |
49 | if _, ok := cfg.AgentVersion(); !ok { |
50 | |
51 | === modified file 'environs/config_test.go' |
52 | --- environs/config_test.go 2013-11-20 04:28:46 +0000 |
53 | +++ environs/config_test.go 2013-12-06 09:49:29 +0000 |
54 | @@ -296,7 +296,6 @@ |
55 | c.Assert(err, gc.IsNil) |
56 | |
57 | expect := cfg.AllAttrs() |
58 | - delete(expect, "secret") |
59 | expect["admin-secret"] = "" |
60 | expect["ca-private-key"] = "" |
61 | c.Assert(cfg1.AllAttrs(), gc.DeepEquals, expect) |
62 | |
63 | === modified file 'juju/api.go' |
64 | --- juju/api.go 2013-11-21 15:22:31 +0000 |
65 | +++ juju/api.go 2013-12-06 09:49:29 +0000 |
66 | @@ -13,7 +13,6 @@ |
67 | "launchpad.net/juju-core/environs/config" |
68 | "launchpad.net/juju-core/environs/configstore" |
69 | "launchpad.net/juju-core/errors" |
70 | - "launchpad.net/juju-core/rpc" |
71 | "launchpad.net/juju-core/state/api" |
72 | ) |
73 | |
74 | @@ -56,47 +55,12 @@ |
75 | if err != nil { |
76 | return nil, err |
77 | } |
78 | - // TODO(axw) remove this once we have synchronous bootstrap. |
79 | - if err := updateSecrets(environ, st); err != nil { |
80 | - apiClose(st) |
81 | - return nil, err |
82 | - } |
83 | return &APIConn{ |
84 | Environ: environ, |
85 | State: st, |
86 | }, nil |
87 | } |
88 | |
89 | -// updateSecrets pushes environment secrets to the API server. |
90 | -// NOTE: this is a temporary hack, and will disappear when we |
91 | -// have synchronous bootstrap. |
92 | -var updateSecrets = func(environ environs.Environ, st *api.State) error { |
93 | - secrets, err := environ.Provider().SecretAttrs(environ.Config()) |
94 | - if err != nil { |
95 | - return err |
96 | - } |
97 | - client := st.Client() |
98 | - cfg, err := client.EnvironmentGet() |
99 | - if rpc.IsNoSuchRequest(err) { |
100 | - // Ignore checking for secrets when using an older (1.16) API |
101 | - // server. This should be removed in 1.18. |
102 | - logger.Warningf("running in 1.16 compatibility mode; connection may fail if environment is just bootstrapped") |
103 | - return nil |
104 | - } |
105 | - if err != nil { |
106 | - return err |
107 | - } |
108 | - for k, v := range secrets { |
109 | - if _, exists := cfg[k]; exists { |
110 | - // Environment already has secrets. Won't send again. |
111 | - return nil |
112 | - } else { |
113 | - cfg[k] = v |
114 | - } |
115 | - } |
116 | - return client.EnvironmentSet(cfg) |
117 | -} |
118 | - |
119 | // Close terminates the connection to the environment and releases |
120 | // any associated resources. |
121 | func (c *APIConn) Close() error { |
122 | |
123 | === modified file 'juju/apiconn_test.go' |
124 | --- juju/apiconn_test.go 2013-11-07 06:48:00 +0000 |
125 | +++ juju/apiconn_test.go 2013-12-06 09:49:29 +0000 |
126 | @@ -65,8 +65,9 @@ |
127 | c.Assert(conn.Environ, gc.Equals, env) |
128 | c.Assert(conn.State, gc.NotNil) |
129 | |
130 | + // the secrets will not be updated, as they already exist |
131 | attrs, err := conn.State.Client().EnvironmentGet() |
132 | - c.Assert(attrs["secret"], gc.Equals, "fnord") |
133 | + c.Assert(attrs["secret"], gc.Equals, "pork") |
134 | |
135 | c.Assert(conn.Close(), gc.IsNil) |
136 | } |
137 | @@ -137,7 +138,6 @@ |
138 | return expectState, nil |
139 | } |
140 | defer testbase.PatchValue(juju.APIOpen, apiOpen).Restore() |
141 | - defer testbase.PatchValue(juju.UpdateSecrets, updateSecretsNoop).Restore() |
142 | st, err := juju.NewAPIFromName("noconfig", store) |
143 | c.Assert(err, gc.IsNil) |
144 | c.Assert(st, gc.Equals, expectState) |
145 | @@ -186,7 +186,6 @@ |
146 | return nil, expectErr |
147 | } |
148 | defer testbase.PatchValue(juju.APIOpen, apiOpen).Restore() |
149 | - defer testbase.PatchValue(juju.UpdateSecrets, updateSecretsNoop).Restore() |
150 | st, err := juju.NewAPIFromName("noconfig", store) |
151 | c.Assert(err, gc.Equals, expectErr) |
152 | c.Assert(st, gc.IsNil) |
153 | @@ -213,7 +212,6 @@ |
154 | return cfgOpenedState, nil |
155 | } |
156 | defer testbase.PatchValue(juju.APIOpen, apiOpen).Restore() |
157 | - defer testbase.PatchValue(juju.UpdateSecrets, updateSecretsNoop).Restore() |
158 | |
159 | stateClosed, restoreAPIClose := setAPIClosed() |
160 | defer restoreAPIClose.Restore() |
161 | @@ -278,7 +276,6 @@ |
162 | return cfgOpenedState, nil |
163 | } |
164 | defer testbase.PatchValue(juju.APIOpen, apiOpen).Restore() |
165 | - defer testbase.PatchValue(juju.UpdateSecrets, updateSecretsNoop).Restore() |
166 | |
167 | stateClosed, restoreAPIClose := setAPIClosed() |
168 | defer restoreAPIClose.Restore() |
169 | |
170 | === modified file 'juju/conn_test.go' |
171 | --- juju/conn_test.go 2013-11-19 17:25:24 +0000 |
172 | +++ juju/conn_test.go 2013-12-06 09:49:29 +0000 |
173 | @@ -134,19 +134,31 @@ |
174 | st, err := state.Open(info, state.DefaultDialOpts()) |
175 | c.Assert(err, gc.IsNil) |
176 | |
177 | - // Verify we have no secret in the environ config |
178 | - cfg, err = st.EnvironConfig() |
179 | - c.Assert(err, gc.IsNil) |
180 | - c.Assert(cfg.UnknownAttrs()["secret"], gc.IsNil) |
181 | + // Verify we have secrets in the environ config already. |
182 | + statecfg, err := st.EnvironConfig() |
183 | + c.Assert(err, gc.IsNil) |
184 | + c.Assert(statecfg.UnknownAttrs()["secret"], gc.Equals, "pork") |
185 | + |
186 | + // Remove the secret from state, and then make sure it gets |
187 | + // pushed back again. |
188 | + attrs = statecfg.AllAttrs() |
189 | + delete(attrs, "secret") |
190 | + newcfg, err := config.New(config.NoDefaults, attrs) |
191 | + c.Assert(err, gc.IsNil) |
192 | + err = st.SetEnvironConfig(newcfg, statecfg) |
193 | + c.Assert(err, gc.IsNil) |
194 | + statecfg, err = st.EnvironConfig() |
195 | + c.Assert(err, gc.IsNil) |
196 | + c.Assert(statecfg.UnknownAttrs()["secret"], gc.IsNil) |
197 | |
198 | // Make a new Conn, which will push the secrets. |
199 | conn, err := juju.NewConn(env) |
200 | c.Assert(err, gc.IsNil) |
201 | defer conn.Close() |
202 | |
203 | - cfg, err = conn.State.EnvironConfig() |
204 | + statecfg, err = conn.State.EnvironConfig() |
205 | c.Assert(err, gc.IsNil) |
206 | - c.Assert(cfg.UnknownAttrs()["secret"], gc.Equals, "pork") |
207 | + c.Assert(statecfg.UnknownAttrs()["secret"], gc.Equals, "pork") |
208 | |
209 | // Reset the admin password so the state db can be reused. |
210 | err = conn.State.SetAdminMongoPassword("") |
211 | |
212 | === modified file 'juju/export_test.go' |
213 | --- juju/export_test.go 2013-11-07 06:48:00 +0000 |
214 | +++ juju/export_test.go 2013-12-06 09:49:29 +0000 |
215 | @@ -5,5 +5,4 @@ |
216 | APIClose = &apiClose |
217 | ProviderConnectDelay = &providerConnectDelay |
218 | NewAPIFromName = newAPIFromName |
219 | - UpdateSecrets = &updateSecrets |
220 | ) |
Reviewers: mp+197673_ code.launchpad. net,
Message:
Please take a look.
Description:
Remove secrets-pushing for new bootstraps, API
- environs/ BootstrapConfig now no longer removes
secret attributes from configuration. This is
on account of configuration not being populated
into cloud-init config now.
- juju/NewAPIConn now no longer pushes secrets,
as it is not necessary. This was not present in
1.16, so it is not a compatibility concern.
If we're okay with disabling new CLI from initialising
an old juju server, then we can also remove secrets
pushing from juju/NewConn. Doing this would allow us
to drop all notion of "secret attributes".
https:/ /code.launchpad .net/~axwalk/ juju-core/ api-disable- secrets- pushing/ +merge/ 197673
(do not edit description out of merge proposal)
Please review this at https:/ /codereview. appspot. com/37090043/
Affected files (+7, -71 lines): cloudinit_ test.go config_ test.go test.go
A [revision details]
M environs/
M environs/config.go
M environs/
M juju/api.go
M juju/apiconn_
M juju/conn_test.go
M juju/export_test.go
Index: [revision details] 20131203182636- on3s53irtmfaw1d i
=== added file '[revision details]'
--- [revision details] 2012-01-01 00:00:00 +0000
+++ [revision details] 2012-01-01 00:00:00 +0000
@@ -0,0 +1,2 @@
+Old revision: tarmac-
+New revision: <email address hidden>
Index: environs/ cloudinit_ test.go cloudinit_ test.go' cloudinit_ test.go 2013-12-03 06:04:43 +0000 cloudinit_ test.go 2013-12-04 10:18:57 +0000
=== modified file 'environs/
--- environs/
+++ environs/
@@ -124,7 +124,6 @@
oldAttrs[ "ca-private- key"] = "" "admin- secret" ] = "" mcfg.Config. AllAttrs( ), gc.DeepEquals, oldAttrs) rCert
oldAttrs[
- delete(oldAttrs, "secret")
c.Check(
srvCertPEM := mcfg.StateServe
srvKeyPEM := mcfg.StateServerKey
Index: environs/config.go config. go' cfg.Type( )) New(config. NoDefaults, m); err != nil { New(config. NoDefaults, m)
=== modified file 'environs/
--- environs/config.go 2013-11-13 08:15:10 +0000
+++ environs/config.go 2013-12-04 10:18:57 +0000
@@ -202,23 +202,12 @@
// secret attributes removed. If the resulting config is not suitable
// for bootstrapping an environment, an error is returned.
func BootstrapConfig(cfg *config.Config) (*config.Config, error) {
- p, err := Provider(
- if err != nil {
- return nil, err
- }
- secrets, err := p.SecretAttrs(cfg)
- if err != nil {
- return nil, err
- }
m := cfg.AllAttrs()
- for k := range secrets {
- delete(m, k)
- }
-
// We never want to push admin-secret or the root CA private key to the
cloud.
delete(m, "admin-secret")
delete(m, "ca-private-key")
- if cfg, err = config.
+ cfg, err := config.
+ if err != nil {
return nil, err
}
if _, ok := cfg.AgentVersion(); !ok {
Index: environs/ config_ test.go config_ test.go' config_ test.go 2013-11-20 04:28:46 +0000 config_ test.go 2013-12-04 10:18:57 +0000
=== modified file 'environs/
--- environs/
+++ environs/
@@ -296,7 +296,6 @@
c.Assert(err, gc.IsNil)
expect := cfg.AllAttrs() "admin- secret" ] = "" "ca-private- key"] = "" cfg1.AllAttrs( ), gc.DeepEquals,...
- delete(expect, "secret")
expect[
expect[
c.Assert(