[WIP] Switch from secrets to rails credentials #253
Conversation
jrafanie
requested review from
agrare,
Fryguy,
ereztheodorou,
erantzabari,
llivne and
gregoryb-at-ibm
as code owners
|
@jrafanie yeah we need some way to have default credentials for vcrs but be able to override that in order to re-record the VCRs using real credentials. |
Default credentials feels like something that's separated from rails credentials. You could theoretically run There are problems with this though. You wouldn't be able to run the tests at all without first following those steps. I wonder if it makes more sense changing usage of In other words: Rails.application.credentials.dig(:autosde, :appliance_host) || "autosde-appliance-host" |
jrafanie
force-pushed
the
switch-from-secrets-to-credentials
branch
2 times, most recently
from
55d3ba3 to
733c49d
Compare
I'll just do it as additional commits... it's easier to talk about code once it's in front of you |
jrafanie
force-pushed
the
switch-from-secrets-to-credentials
branch
from
733c49d to
441d36b
Compare
spec/spec_helper.rb
Outdated
| } | ||
| (Rails.application.credentials.autosde_defaults || defaults).each do |key, value| | ||
| config.define_cassette_placeholder(key) do | ||
| Rails.application.credentials.dig(:autosde, key) || value |
There was a problem hiding this comment.
Note, I don't know exactly what it's doing here and realize we have the methods just below... but this needs to work in two scenarios:
- User or CI with no Rails credentials defined:
- no config/master.key, no config/credentials.yml.enc
- Or based on env, no config/credentals/test.key or config/credentials/test.yml.enc
- User or CI with rails credentials defined with the same format as seen here.
There was a problem hiding this comment.
In other words, if someone can run this with actual credentials to update cassettes, we can refactor it to minimize the duplication. I didn't want to change more than I had to.
There was a problem hiding this comment.
Since we won't have Rails.application.credentials.autosde_defaults I think we can simplify this to just defaults.each the rest looks right 👍 use a credentials value if it exists otherwise use the default value.
There was a problem hiding this comment.
I don't know exactly what it's doing here
This is what will replace the "real" secret values with the default values when writing out the vcr file.
There was a problem hiding this comment.
Ok, I'll push that change. Thanks for the information. It didn't look they you'd change the autosde_defeaults in secrets but wasn't sure if we'd change our settings in the future.
| @@ -4,10 +4,10 @@ | |||
| let(:ems) do | |||
| FactoryBot.create(:autosde_storage_manager, | |||
| :with_autosde_credentials, | |||
| :hostname => Rails.application.secrets.autosde[:appliance_host]) | |||
| :hostname => credentials_autosde_host) | |||
There was a problem hiding this comment.
I needed to change this and realized the test file's name was incorrect and was never run in CI or locally unless you specifically ran the path to the file.
| end | ||
|
|
||
| describe "#refresh - autosde gem v2" do | ||
| xcontext "#refresh - autosde gem v2 - TODO: Did this ever work? Committed with incorrect filename in 23db5ed" do |
There was a problem hiding this comment.
Disabled the whole test for now since it's not been run, see above.
jrafanie
force-pushed
the
switch-from-secrets-to-credentials
branch
from
441d36b to
539dc2b
Compare
Fryguy
changed the title
spec/spec_helper.rb
Outdated
| "appliance_host" => "autosde-appliance-host", | ||
| "site_manager_user" => "autosde", | ||
| "site_manager_password" => "change_me" |
There was a problem hiding this comment.
If you didn't want to "duplicate" the values you could always
| "appliance_host" => "autosde-appliance-host", | |
| "site_manager_user" => "autosde", | |
| "site_manager_password" => "change_me" | |
| "appliance_host" => credentials_autosde_host, | |
| "site_manager_user" => credentials_autosde_user, | |
| "site_manager_password" => credentials_autosde_password |
There was a problem hiding this comment.
Yeah, I guess I wanted to see what the usage was down below to better understand if i could eliminate it entirely and do it inline.
jrafanie
force-pushed
the
switch-from-secrets-to-credentials
branch
2 times, most recently
from
5285fed to
e3ea008
Compare
jrafanie
changed the title
|
Ok, removing WIP. I still need to record updated cassettes using this procedure but I think all of the concerns raised here have been addressed. |
|
@jrafanie and just to make sure I understand how the new credentials system works would we have to use |
rails credentials are for the rails application so I guess you'd have some .gitignore(d) credentials for each plugin and they'd reside in |
|
We also need to update the plugin generator. For some reason I'm not a fan of the defaults in the code as opposed to the YAML file, but in the end it doesn't make much difference, and I won't let that hold up a merge. In the end as long as @agrare is happy then I'm happy 😅 |
Yes, it's on the list. I wanted to get a concrete example done and then it's on to all the other places we use secrets. I'm going to try to find an environment I can try to rerecord cassettes at some point.
I don't like it either. One alternative is requiring CI/devs create their credentials for use with the test but that seems cumbersome. |
|
However I would like to have the "real" secrets gitignored ahead of time in core. |
On the way... |
We're switching to rails credentials to keep current with rails 7.1 and the future. Note, we're assuming we won't want to commit and share encrypted credentials. If we want to share them, such as for recording cassettes, the comments describe how to switch to only ignoring the plain text encryption key files. Followup to: ManageIQ#23254 Required for: ManageIQ/manageiq-providers-autosde#253
We're switching to rails credentials to keep current with rails 7.1 and the future. Note, we're assuming we won't want to commit and share encrypted credentials. If we want to share them, such as for recording cassettes, the comments describe how to switch to only ignoring the plain text encryption key files. Followup to: ManageIQ#23254 Required for: ManageIQ/manageiq-providers-autosde#253
jrafanie
force-pushed
the
switch-from-secrets-to-credentials
branch
from
e3ea008 to
a914a63
Compare
Here's what you have to do: 1) To run the tests, do nothing, we have defaults specified to match the cassettes. To record updated cassettes: 1) Apply the commit here to switch to credentials 2) Edit rails credentials in the rails application (manageiq) in the test environment: IMPORTANT: cd to manageiq and not the rails engine directory. It looks for the encryption key and encrypted credentials file relative to the rails application, not the engine. EDITOR=vi be rails credentials:edit --environment test Specify the real values in your editor(change the values below): autosde: appliance_host: autosde-appliance-host site_manager_user: autosde site_manager_password: change_me Save this. It should generate the following files in the rails app: * config/credentials/test.key (if not previously created) * an encrypted credentials file in config/credentials/test.yml.enc Both files should be .gitignored. You can now run record updated cassettes.
It's a common pattern in ruby to run *_test.rb for test/unit/minitest, *_spec.rb for rspec, etc.
The spec file was named incorrectly in 23db5ed as: spec/models/manageiq/providers/autosde/storage_manager/refresher_spec_v2.rb Spec files should match the glob pattern "*_spec.rb". We need to come back and make these tests work since the file has been renamed correctly. Before: ``` Finished in 7.6 seconds (files took 3.76 seconds to load) 35 examples, 0 failures ``` After: ``` Finished in 8.35 seconds (files took 4.11 seconds to load) 44 examples, 0 failures, 9 pending ```
jrafanie
force-pushed
the
switch-from-secrets-to-credentials
branch
from
a914a63 to
eedd571
Compare
Rails 7.1 removes access to modifying secrets as we should be moved over to rails credentials. Here we describe how to setup these rails crednetials for the purpose of recording VCR cassettes. See also: ManageIQ/manageiq-providers-autosde#253
jrafanie
changed the title
|
Leaving as wip until I can run through recording cassettes along with the updated guide: ManageIQ/guides#553 |
UPDATE: The code has been updated to use fallbacks of default values in tests so CI and users don't need to actually specify
Rails.application.credentialsunless they are recording new cassettes.TODO: Verify we can rerecord the cassettes using this PR.
Here's what you have to do:
To record updated cassettes:
IMPORTANT: cd to manageiq and not the rails engine directory. It looks for the encryption key and encrypted
credentials file relative to the rails application, not the engine.
EDITOR=vi be rails credentials:edit --environment test
Specify the real values in your editor(change the values below):
Save this. It should generate the following files in the rails app:
Both files should be .gitignored.
You can now run record updated cassettes.