New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow rotating the password non-interactively #11094
Conversation
Signed-off-by: Nicklas Frahm <nilfr@vestas.com>
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
Changelog[uncommitted] (2022-10-21)Features
|
/run-acceptance-tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! One small change requested, otherwise I'm good with it! :)
Also, I just want to say thanks, @nicklasfrahm. I appreciate you taking the time to fix this issue (especially so quickly after it was just opened)! 🎉 |
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
@RobbieMcKinstry Could you give this another look? |
bors merge |
11094: Allow rotating the password non-interactively r=Frassle a=nicklasfrahm Signed-off-by: Nicklas Frahm <nilfr@vestas.com> <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description Fixes #11083. Also fixes some deprecation warnings within the `passphrase` package. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [x] I have tested this locally using: ```bash export PULUMI_CONFIG_PASSPHRASE=test pulumi stack init -s test echo "hello" | pulumi stack change-secrets-provider passphrase export PULUMI_CONFIG_PASSPHRASE=hello echo "test" | pulumi stack change-secrets-provider passphrase ``` <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Nicklas Frahm <nilfr@vestas.com>
Build failed: |
bors retry |
11094: Allow rotating the password non-interactively r=Frassle a=nicklasfrahm Signed-off-by: Nicklas Frahm <nilfr@vestas.com> <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description Fixes #11083. Also fixes some deprecation warnings within the `passphrase` package. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [x] I have tested this locally using: ```bash export PULUMI_CONFIG_PASSPHRASE=test pulumi stack init -s test echo "hello" | pulumi stack change-secrets-provider passphrase export PULUMI_CONFIG_PASSPHRASE=hello echo "test" | pulumi stack change-secrets-provider passphrase ``` <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Nicklas Frahm <nilfr@vestas.com>
Build failed: |
bors retry |
Build succeeded: |
I don't think this solution is good enough. First run:
No problem, stack created Second run:
No problem, secret newly created Third run:
passphrase had been set to the empty string. The rotation must be more explicit. I suggest: Introducing |
What if we failed it, if the passphrase is empty? I also feel like it would be nice to do some of this via flags rather than ENV vars. What do you think? Something like, |
I'd really like to disallow empty passphrase in general but last time we did that users complained that it broke their workflows, very https://xkcd.com/1172/ feeling to that. But we could probably disallow empty passphrases on stdin, I don't even think we need to have an opt-out to allow empty passphrases. |
I generally prefer strongly discouraging these things and allowing opt-outs for the 1% of cases that are not the user's but the environment's fault. Phase of moon, etc. |
For context, I reached here through a miraculous turn of events that took me forever to debug //nolint:paralleltest // mutates environment variables
func TestChangeSecretsProviderToPassphraseNonInteractively(t *testing.T) {
e := ptesting.NewEnvironment(t)
e.Passphrase = "correct horse battery staple"
defer func() {
if !t.Failed() {
e.DeleteEnvironment()
}
}()
const stackName = "imulup"
integration.CreateBasicPulumiRepo(e)
e.ImportDirectory("integration/stack_outputs/nodejs")
e.SetBackend(e.LocalURL())
e.RunCommand(
"pulumi", "stack", "init", stackName,
)
e.RunCommand("pulumi", "stack", "change-secrets-provider", "passphrase")
e.RunCommand("pulumi", "up", "--non-interactive", "--yes", "--skip-preview")
} This fails on
Why? I think this code is incorrect: // If we're setting the secrets provider to the same provider then do a rotation.
rotateProvider := secretsProvider == currentProjectStack.SecretsProvider ||
// passphrase doesn't get saved to stack state, so if we're changing to passphrase see if
// the current secrets provider is empty
((secretsProvider == "passphrase") && (currentProjectStack.SecretsProvider == "")) Specifically: (secretsProvider == "passphrase") && (currentProjectStack.SecretsProvider == "")) Since it marks this is a |
With my suggestion, if passphrase rotation is set, It would have failed in
or at least
Now I see that Also WDYT? |
I like the option with the flag, because it is a lot less typing than all those environment variables, so it does have a certain simplicity to it. |
Adding a flag now would be a breaking change, its much more palatable to go with erroring on empty here, still a break change but a more manageable and understandable one. |
I think that it's still has to be explicit when read from stdin.
First one maybe not even read the passphrase from stdin - depends if it was a rotation or not. |
Spinned up a PR to show how it will look like: Regardless, I do agree empty passphrases are useless, might as well not encrypt at all |
Signed-off-by: Nicklas Frahm nilfr@vestas.com
Description
Fixes #11083. Also fixes some deprecation warnings within the
passphrase
package.Checklist
make changelog
and committed thechangelog/pending/<file>
documenting my change