feat: template secrets (#1463)

Author: danielorihuela

agent-control/src/agent_type/render/renderer.rs

@@ -24,7 +24,7 @@ pub trait Renderer {
         agent_type: AgentType,
         values: YAMLConfig,
         attributes: AgentAttributes,
-        environment_variables: HashMap<String, Variable>,
+        runtime_variables: HashMap<String, Variable>,
     ) -> Result<Runtime, AgentTypeError>;
 }
 
@@ -42,14 +42,14 @@ impl<C: ConfigurationPersister> Renderer for TemplateRenderer<C> {
         agent_type: AgentType,
         values: YAMLConfig,
         attributes: AgentAttributes,
-        environment_variables: HashMap<String, Variable>,
+        runtime_variables: HashMap<String, Variable>,
     ) -> Result<Runtime, AgentTypeError> {
         // Get empty variables and runtime_config from the agent-type
         let (variables, runtime_config) = (agent_type.variables, agent_type.runtime_config);
 
         // Values are expanded substituting all ${nr-env...} with environment variables.
-        // Notice that only environment variables are taken into consideration (no other vars for example)
-        let values_expanded = values.template_with(&environment_variables)?;
+        // Notice that only environment variables and secrets are taken into consideration (no other vars for example)
+        let values_expanded = values.template_with(&runtime_variables)?;
 
         // Fill agent variables
         // `filled_variables` needs to be mutable, in case there are `File` or `MapStringFile` variables, whose path
@@ -76,7 +76,7 @@ impl<C: ConfigurationPersister> Renderer for TemplateRenderer<C> {
 
         // Setup namespaced variables
         let ns_variables =
-            self.build_namespaced_variables(filled_variables, environment_variables, &attributes);
+            self.build_namespaced_variables(filled_variables, runtime_variables, &attributes);
         // Render runtime config
         let rendered_runtime_config = runtime_config.template_with(&ns_variables)?;
 
@@ -139,7 +139,7 @@ impl<C: ConfigurationPersister> TemplateRenderer<C> {
     fn build_namespaced_variables(
         &self,
         variables: HashMap<String, Variable>,
-        environment_variables: HashMap<String, Variable>,
+        runtime_variables: HashMap<String, Variable>,
         attributes: &AgentAttributes,
     ) -> HashMap<NamespacedVariableName, Variable> {
         // Set the namespaced name to variables
@@ -152,7 +152,7 @@ impl<C: ConfigurationPersister> TemplateRenderer<C> {
         // Join all variables together
         vars_iter
             .chain(sub_agent_vars_iter)
-            .chain(environment_variables)
+            .chain(runtime_variables)
             .chain(self.sa_variables.clone())
             .collect::<HashMap<NamespacedVariableName, Variable>>()
     }
@@ -192,7 +192,7 @@ pub(crate) mod tests {
                 agent_type: AgentType,
                 values: YAMLConfig,
                 attributes: AgentAttributes,
-                environment_variables: HashMap<String, Variable>,
+                runtime_variables: HashMap<String, Variable>,
             ) -> Result<Runtime, AgentTypeError>;
          }
     }

agent-control/src/agent_type/variable/secret_variables.rs

@@ -8,6 +8,7 @@ use crate::{
         variable::{Variable, namespace::Namespace},
     },
     secrets_provider::{SecretsProvider, SecretsProviderType, SecretsProvidersRegistry},
+    values::yaml_config::YAMLConfig,
 };
 
 /// Represents the prefix used for namespaced variables.
@@ -62,17 +63,31 @@ impl From<&str> for SecretVariables {
     }
 }
 
+impl TryFrom<YAMLConfig> for SecretVariables {
+    type Error = SecretVariablesError;
+
+    fn try_from(config: YAMLConfig) -> Result<Self, Self::Error> {
+        let config: String = config
+            .try_into()
+            .map_err(|_| SecretVariablesError::YamlParseError)?;
+        Ok(SecretVariables::from(config.as_str()))
+    }
+}
+
 #[derive(thiserror::Error, Debug)]
 pub enum SecretVariablesError {
     #[error("failed to load secret: {0}")]
     SecretsLoadError(String),
+
+    #[error("failed to parse yaml config")]
+    YamlParseError,
 }
 
 impl SecretVariables {
     /// Loads secrets from all providers.
     pub fn load_all_secrets(
         &self,
-        secrets_providers_registry: SecretsProvidersRegistry,
+        secrets_providers_registry: &SecretsProvidersRegistry,
     ) -> Result<HashMap<String, Variable>, SecretVariablesError> {
         if secrets_providers_registry.is_empty() {
             return Ok(HashMap::new());
@@ -97,8 +112,8 @@ impl SecretVariables {
     /// Loads secrets from the given provider.
     fn load_secrets_at<SP: SecretsProvider>(
         &self,
-        namespace: Namespace,
-        provider: SP,
+        namespace: &Namespace,
+        provider: &SP,
     ) -> Result<HashMap<String, Variable>, SecretVariablesError> {
         let mut result = HashMap::new();
         let Some(secrets_paths) = self.variables.get(&namespace.to_string()) else {
@@ -198,7 +213,7 @@ eof"#;
             .returning(|_| Ok("mocked_value_D".to_string()));
 
         let result = runtime_variables
-            .load_secrets_at(Namespace::Vault, mock_vault)
+            .load_secrets_at(&Namespace::Vault, &mock_vault)
             .unwrap();
         assert_eq!(
             result,
@@ -215,7 +230,7 @@ eof"#;
             variables: HashMap::new(),
         };
         let result = runtime_variables
-            .load_all_secrets(SecretsProvidersRegistry::new())
+            .load_all_secrets(&SecretsProvidersRegistry::new())
             .unwrap();
         assert!(result.is_empty());
     }

agent-control/src/sub_agent/effective_agents_assembler.rs

@@ -11,6 +11,7 @@ use crate::agent_type::runtime_config::k8s::K8s;
 use crate::agent_type::runtime_config::onhost::OnHost;
 use crate::agent_type::runtime_config::{Deployment, Runtime};
 use crate::agent_type::variable::constraints::VariableConstraints;
+use crate::agent_type::variable::secret_variables::{SecretVariables, SecretVariablesError};
 use crate::secrets_provider::SecretsProvidersRegistry;
 use crate::sub_agent::identity::AgentIdentity;
 use crate::values::yaml_config::YAMLConfig;
@@ -32,6 +33,8 @@ pub enum EffectiveAgentsAssemblerError {
     AgentTypeError(#[from] AgentTypeError),
     #[error("error assembling agents: `{0}`")]
     AgentTypeDefinitionError(#[from] AgentTypeDefinitionError),
+    #[error("error loading secrets: `{0}`")]
+    SecretVariablesError(#[from] SecretVariablesError),
 }
 
 #[derive(Error, Debug)]
@@ -107,7 +110,7 @@ where
     registry: Arc<R>,
     renderer: Y,
     variable_constraints: VariableConstraints,
-    _secrets_providers: SecretsProvidersRegistry,
+    secrets_providers: SecretsProvidersRegistry,
 }
 
 impl LocalEffectiveAgentsAssembler<EmbeddedRegistry, TemplateRenderer<ConfigurationPersisterFile>> {
@@ -121,7 +124,7 @@ impl LocalEffectiveAgentsAssembler<EmbeddedRegistry, TemplateRenderer<Configurat
             registry,
             renderer,
             variable_constraints,
-            _secrets_providers: secrets_providers,
+            secrets_providers,
         }
     }
 }
@@ -157,12 +160,18 @@ where
         // Notice that only environment variables are taken into consideration (no other vars for example)
         let environment_variables = retrieve_env_var_variables();
 
+        let secret_variables = SecretVariables::try_from(values.clone())?;
+        let secrets = secret_variables.load_all_secrets(&self.secrets_providers)?;
+
+        let mut runtime_variables = environment_variables.clone();
+        runtime_variables.extend(secrets);
+
         let runtime_config = self.renderer.render(
             &agent_identity.id,
             agent_type,
             values,
             attributes,
-            environment_variables,
+            runtime_variables,
         )?;
 
         Ok(EffectiveAgent::new(agent_identity.clone(), runtime_config))
@@ -273,7 +282,7 @@ pub(crate) mod tests {
                 registry: Arc::new(registry),
                 renderer,
                 variable_constraints: VariableConstraints::default(),
-                _secrets_providers: SecretsProvidersRegistry::default(),
+                secrets_providers: SecretsProvidersRegistry::default(),
             }
         }
     }