Skip to content

Commit c23456a

Browse files
feat: template secrets (#1463)
1 parent 0536e52 commit c23456a

File tree

3 files changed

+41
-17
lines changed

3 files changed

+41
-17
lines changed

agent-control/src/agent_type/render/renderer.rs

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ pub trait Renderer {
2424
agent_type: AgentType,
2525
values: YAMLConfig,
2626
attributes: AgentAttributes,
27-
environment_variables: HashMap<String, Variable>,
27+
runtime_variables: HashMap<String, Variable>,
2828
) -> Result<Runtime, AgentTypeError>;
2929
}
3030

@@ -42,14 +42,14 @@ impl<C: ConfigurationPersister> Renderer for TemplateRenderer<C> {
4242
agent_type: AgentType,
4343
values: YAMLConfig,
4444
attributes: AgentAttributes,
45-
environment_variables: HashMap<String, Variable>,
45+
runtime_variables: HashMap<String, Variable>,
4646
) -> Result<Runtime, AgentTypeError> {
4747
// Get empty variables and runtime_config from the agent-type
4848
let (variables, runtime_config) = (agent_type.variables, agent_type.runtime_config);
4949

5050
// Values are expanded substituting all ${nr-env...} with environment variables.
51-
// Notice that only environment variables are taken into consideration (no other vars for example)
52-
let values_expanded = values.template_with(&environment_variables)?;
51+
// Notice that only environment variables and secrets are taken into consideration (no other vars for example)
52+
let values_expanded = values.template_with(&runtime_variables)?;
5353

5454
// Fill agent variables
5555
// `filled_variables` needs to be mutable, in case there are `File` or `MapStringFile` variables, whose path
@@ -76,7 +76,7 @@ impl<C: ConfigurationPersister> Renderer for TemplateRenderer<C> {
7676

7777
// Setup namespaced variables
7878
let ns_variables =
79-
self.build_namespaced_variables(filled_variables, environment_variables, &attributes);
79+
self.build_namespaced_variables(filled_variables, runtime_variables, &attributes);
8080
// Render runtime config
8181
let rendered_runtime_config = runtime_config.template_with(&ns_variables)?;
8282

@@ -139,7 +139,7 @@ impl<C: ConfigurationPersister> TemplateRenderer<C> {
139139
fn build_namespaced_variables(
140140
&self,
141141
variables: HashMap<String, Variable>,
142-
environment_variables: HashMap<String, Variable>,
142+
runtime_variables: HashMap<String, Variable>,
143143
attributes: &AgentAttributes,
144144
) -> HashMap<NamespacedVariableName, Variable> {
145145
// Set the namespaced name to variables
@@ -152,7 +152,7 @@ impl<C: ConfigurationPersister> TemplateRenderer<C> {
152152
// Join all variables together
153153
vars_iter
154154
.chain(sub_agent_vars_iter)
155-
.chain(environment_variables)
155+
.chain(runtime_variables)
156156
.chain(self.sa_variables.clone())
157157
.collect::<HashMap<NamespacedVariableName, Variable>>()
158158
}
@@ -192,7 +192,7 @@ pub(crate) mod tests {
192192
agent_type: AgentType,
193193
values: YAMLConfig,
194194
attributes: AgentAttributes,
195-
environment_variables: HashMap<String, Variable>,
195+
runtime_variables: HashMap<String, Variable>,
196196
) -> Result<Runtime, AgentTypeError>;
197197
}
198198
}

agent-control/src/agent_type/variable/secret_variables.rs

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ use crate::{
88
variable::{Variable, namespace::Namespace},
99
},
1010
secrets_provider::{SecretsProvider, SecretsProviderType, SecretsProvidersRegistry},
11+
values::yaml_config::YAMLConfig,
1112
};
1213

1314
/// Represents the prefix used for namespaced variables.
@@ -62,17 +63,31 @@ impl From<&str> for SecretVariables {
6263
}
6364
}
6465

66+
impl TryFrom<YAMLConfig> for SecretVariables {
67+
type Error = SecretVariablesError;
68+
69+
fn try_from(config: YAMLConfig) -> Result<Self, Self::Error> {
70+
let config: String = config
71+
.try_into()
72+
.map_err(|_| SecretVariablesError::YamlParseError)?;
73+
Ok(SecretVariables::from(config.as_str()))
74+
}
75+
}
76+
6577
#[derive(thiserror::Error, Debug)]
6678
pub enum SecretVariablesError {
6779
#[error("failed to load secret: {0}")]
6880
SecretsLoadError(String),
81+
82+
#[error("failed to parse yaml config")]
83+
YamlParseError,
6984
}
7085

7186
impl SecretVariables {
7287
/// Loads secrets from all providers.
7388
pub fn load_all_secrets(
7489
&self,
75-
secrets_providers_registry: SecretsProvidersRegistry,
90+
secrets_providers_registry: &SecretsProvidersRegistry,
7691
) -> Result<HashMap<String, Variable>, SecretVariablesError> {
7792
if secrets_providers_registry.is_empty() {
7893
return Ok(HashMap::new());
@@ -97,8 +112,8 @@ impl SecretVariables {
97112
/// Loads secrets from the given provider.
98113
fn load_secrets_at<SP: SecretsProvider>(
99114
&self,
100-
namespace: Namespace,
101-
provider: SP,
115+
namespace: &Namespace,
116+
provider: &SP,
102117
) -> Result<HashMap<String, Variable>, SecretVariablesError> {
103118
let mut result = HashMap::new();
104119
let Some(secrets_paths) = self.variables.get(&namespace.to_string()) else {
@@ -198,7 +213,7 @@ eof"#;
198213
.returning(|_| Ok("mocked_value_D".to_string()));
199214

200215
let result = runtime_variables
201-
.load_secrets_at(Namespace::Vault, mock_vault)
216+
.load_secrets_at(&Namespace::Vault, &mock_vault)
202217
.unwrap();
203218
assert_eq!(
204219
result,
@@ -215,7 +230,7 @@ eof"#;
215230
variables: HashMap::new(),
216231
};
217232
let result = runtime_variables
218-
.load_all_secrets(SecretsProvidersRegistry::new())
233+
.load_all_secrets(&SecretsProvidersRegistry::new())
219234
.unwrap();
220235
assert!(result.is_empty());
221236
}

agent-control/src/sub_agent/effective_agents_assembler.rs

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ use crate::agent_type::runtime_config::k8s::K8s;
1111
use crate::agent_type::runtime_config::onhost::OnHost;
1212
use crate::agent_type::runtime_config::{Deployment, Runtime};
1313
use crate::agent_type::variable::constraints::VariableConstraints;
14+
use crate::agent_type::variable::secret_variables::{SecretVariables, SecretVariablesError};
1415
use crate::secrets_provider::SecretsProvidersRegistry;
1516
use crate::sub_agent::identity::AgentIdentity;
1617
use crate::values::yaml_config::YAMLConfig;
@@ -32,6 +33,8 @@ pub enum EffectiveAgentsAssemblerError {
3233
AgentTypeError(#[from] AgentTypeError),
3334
#[error("error assembling agents: `{0}`")]
3435
AgentTypeDefinitionError(#[from] AgentTypeDefinitionError),
36+
#[error("error loading secrets: `{0}`")]
37+
SecretVariablesError(#[from] SecretVariablesError),
3538
}
3639

3740
#[derive(Error, Debug)]
@@ -107,7 +110,7 @@ where
107110
registry: Arc<R>,
108111
renderer: Y,
109112
variable_constraints: VariableConstraints,
110-
_secrets_providers: SecretsProvidersRegistry,
113+
secrets_providers: SecretsProvidersRegistry,
111114
}
112115

113116
impl LocalEffectiveAgentsAssembler<EmbeddedRegistry, TemplateRenderer<ConfigurationPersisterFile>> {
@@ -121,7 +124,7 @@ impl LocalEffectiveAgentsAssembler<EmbeddedRegistry, TemplateRenderer<Configurat
121124
registry,
122125
renderer,
123126
variable_constraints,
124-
_secrets_providers: secrets_providers,
127+
secrets_providers,
125128
}
126129
}
127130
}
@@ -157,12 +160,18 @@ where
157160
// Notice that only environment variables are taken into consideration (no other vars for example)
158161
let environment_variables = retrieve_env_var_variables();
159162

163+
let secret_variables = SecretVariables::try_from(values.clone())?;
164+
let secrets = secret_variables.load_all_secrets(&self.secrets_providers)?;
165+
166+
let mut runtime_variables = environment_variables.clone();
167+
runtime_variables.extend(secrets);
168+
160169
let runtime_config = self.renderer.render(
161170
&agent_identity.id,
162171
agent_type,
163172
values,
164173
attributes,
165-
environment_variables,
174+
runtime_variables,
166175
)?;
167176

168177
Ok(EffectiveAgent::new(agent_identity.clone(), runtime_config))
@@ -273,7 +282,7 @@ pub(crate) mod tests {
273282
registry: Arc::new(registry),
274283
renderer,
275284
variable_constraints: VariableConstraints::default(),
276-
_secrets_providers: SecretsProvidersRegistry::default(),
285+
secrets_providers: SecretsProvidersRegistry::default(),
277286
}
278287
}
279288
}

0 commit comments

Comments
 (0)