feat(yaml/secret): adding pull tag to secrets to create a lazy secret…

…s ability (#312) * feat: adding pull tag to secrets to create a lazy secrets ability * fixing testing errors * fixing testing errors * changing pull tag options * fixing tests * fixing linter errors * fixing some errors * fixing formatting * fixing errors --------- Co-authored-by: Claire.Nicholas <[email protected]> Co-authored-by: Tim Huynh <[email protected]> Co-authored-by: David May <[email protected]> Co-authored-by: Easton Crupper <[email protected]>
go-vela · Oct 24, 2023 · 19101a5 · 19101a5
1 parent 0c0b890
commit 19101a5
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 0 deletions.
diff --git a/constants/secret.go b/constants/secret.go
@@ -4,6 +4,12 @@ package constants
 
 // Secret types.
 const (
+	// SecretPullBuild defines the pull policy type for a secret.
+	SecretPullBuild = "build_start"
+
+	// SecretPullStep defines the pull policy type for a secret.
+	SecretPullStep = "step_start"
+
 	// SecretOrg defines the secret type for a secret scoped to a specific org.
 	SecretOrg = "org"
 

diff --git a/pipeline/secret.go b/pipeline/secret.go
@@ -28,6 +28,7 @@ type (
 		Engine string     `json:"engine,omitempty" yaml:"engine,omitempty"`
 		Type   string     `json:"type,omitempty"   yaml:"type,omitempty"`
 		Origin *Container `json:"origin,omitempty" yaml:"origin,omitempty"`
+		Pull   string     `json:"pull,omitempty"   yaml:"pull,omitempty"`
 	}
 
 	// StepSecretSlice is the pipeline representation

diff --git a/pipeline/secret_test.go b/pipeline/secret_test.go
@@ -60,6 +60,7 @@ func TestPipeline_Secret_ParseOrg_success(t *testing.T) {
 				Key:    "octocat/foo",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org: "octocat",
 		},
@@ -70,6 +71,7 @@ func TestPipeline_Secret_ParseOrg_success(t *testing.T) {
 				Key:    "octocat/👋/🧪/🔑",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org: "octocat",
 		},
@@ -108,6 +110,7 @@ func TestPipeline_Secret_ParseOrg_failure(t *testing.T) {
 				Key:    "octocat/foo",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "wrongorg",
 			wantErr: ErrInvalidOrg,
@@ -119,6 +122,7 @@ func TestPipeline_Secret_ParseOrg_failure(t *testing.T) {
 				Key:    "octocat",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidPath,
@@ -130,6 +134,7 @@ func TestPipeline_Secret_ParseOrg_failure(t *testing.T) {
 				Key:    "octocat/",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidPath,
@@ -140,6 +145,7 @@ func TestPipeline_Secret_ParseOrg_failure(t *testing.T) {
 				Key:    "octocat/foo/bar",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidName,
@@ -151,6 +157,7 @@ func TestPipeline_Secret_ParseOrg_failure(t *testing.T) {
 				Key:    "octocat/foo/bar",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidName,
@@ -162,6 +169,7 @@ func TestPipeline_Secret_ParseOrg_failure(t *testing.T) {
 				Key:    "octocat/foo",
 				Engine: "invalid",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidEngine,
@@ -195,6 +203,7 @@ func TestPipeline_Secret_ParseRepo_success(t *testing.T) {
 				Key:    "octocat/helloworld/foo",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:  "octocat",
 			repo: "helloworld",
@@ -206,6 +215,7 @@ func TestPipeline_Secret_ParseRepo_success(t *testing.T) {
 				Key:    "octocat/👋/🧪/🔑",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:  "octocat",
 			repo: "👋",
@@ -253,6 +263,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat/helloworld/foo",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:     "wrongorg",
 			repo:    "helloworld",
@@ -265,6 +276,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat/helloworld/foo",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			repo:    "badrepo",
@@ -277,6 +289,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidPath,
@@ -288,6 +301,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat/helloworld",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			repo:    "helloworld",
 			org:     "octocat",
@@ -300,6 +314,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat/helloworld/",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			repo:    "helloworld",
 			org:     "octocat",
@@ -311,6 +326,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat/helloworld/foo/bar",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			repo:    "helloworld",
@@ -323,6 +339,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat/helloworld/foo/bar",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			repo:    "helloworld",
@@ -335,6 +352,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "octocat",
 				Engine: "invalid",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidEngine,
@@ -346,6 +364,7 @@ func TestPipeline_Secret_ParseRepo_failure(t *testing.T) {
 				Key:    "foo",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			repo:    "helloworld",
@@ -379,6 +398,7 @@ func TestPipeline_Secret_ParseShared_success(t *testing.T) {
 				Key:    "octocat/helloworld/foo",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org: "octocat",
 		},
@@ -389,6 +409,7 @@ func TestPipeline_Secret_ParseShared_success(t *testing.T) {
 				Key:    "octocat/👋/🧪/🔑",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org: "octocat",
 		},
@@ -431,6 +452,7 @@ func TestPipeline_Secret_ParseShared_failure(t *testing.T) {
 				Key:    "octocat",
 				Engine: "native",
 				Type:   "repo",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidPath,
@@ -442,6 +464,7 @@ func TestPipeline_Secret_ParseShared_failure(t *testing.T) {
 				Key:    "octocat",
 				Engine: "invalid",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidEngine,
@@ -453,6 +476,7 @@ func TestPipeline_Secret_ParseShared_failure(t *testing.T) {
 				Key:    "octocat/foo",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidPath,
@@ -464,6 +488,7 @@ func TestPipeline_Secret_ParseShared_failure(t *testing.T) {
 				Key:    "octocat/foo/",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidPath,
@@ -474,6 +499,7 @@ func TestPipeline_Secret_ParseShared_failure(t *testing.T) {
 				Key:    "octocat/foo/bar",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidName,
@@ -485,6 +511,7 @@ func TestPipeline_Secret_ParseShared_failure(t *testing.T) {
 				Key:    "octocat/foo/bar",
 				Engine: "native",
 				Type:   "org",
+				Pull:   "build_start",
 			},
 			org:     "octocat",
 			wantErr: ErrInvalidName,
@@ -512,20 +539,23 @@ func testSecrets() *SecretSlice {
 			Name:   "foobar",
 			Type:   "repo",
 			Origin: &Container{},
+			Pull:   "build_start",
 		},
 		{
 			Engine: "native",
 			Key:    "github/foobar",
 			Name:   "foobar",
 			Type:   "org",
 			Origin: &Container{},
+			Pull:   "build_start",
 		},
 		{
 			Engine: "native",
 			Key:    "github/octokitties/foobar",
 			Name:   "foobar",
 			Type:   "shared",
 			Origin: &Container{},
+			Pull:   "build_start",
 		},
 		{
 			Name: "",

diff --git a/yaml/build_test.go b/yaml/build_test.go
@@ -260,36 +260,42 @@ func TestYaml_Build_UnmarshalYAML(t *testing.T) {
 						Key:    "org/repo/docker/username",
 						Engine: "native",
 						Type:   "repo",
+						Pull:   "build_start",
 					},
 					{
 						Name:   "docker_password",
 						Key:    "org/repo/docker/password",
 						Engine: "vault",
 						Type:   "repo",
+						Pull:   "build_start",
 					},
 					{
 						Name:   "docker_username",
 						Key:    "org/docker/username",
 						Engine: "native",
 						Type:   "org",
+						Pull:   "build_start",
 					},
 					{
 						Name:   "docker_password",
 						Key:    "org/docker/password",
 						Engine: "vault",
 						Type:   "org",
+						Pull:   "build_start",
 					},
 					{
 						Name:   "docker_username",
 						Key:    "org/team/docker/username",
 						Engine: "native",
 						Type:   "shared",
+						Pull:   "build_start",
 					},
 					{
 						Name:   "docker_password",
 						Key:    "org/team/docker/password",
 						Engine: "vault",
 						Type:   "shared",
+						Pull:   "build_start",
 					},
 					{
 						Origin: Origin{

diff --git a/yaml/secret.go b/yaml/secret.go
@@ -25,6 +25,7 @@ type (
 		Engine string `yaml:"engine,omitempty" json:"engine,omitempty" jsonschema:"enum=native,enum=vault,default=native,description=Name of storage backend to fetch secret from.\nReference: https://go-vela.github.io/docs/reference/yaml/secrets/#the-engine-tag"`
 		Type   string `yaml:"type,omitempty"   json:"type,omitempty" jsonschema:"enum=repo,enum=org,enum=shared,default=repo,description=Type of secret to fetch from storage backend.\nReference: https://go-vela.github.io/docs/reference/yaml/secrets/#the-type-tag"`
 		Origin Origin `yaml:"origin,omitempty" json:"origin,omitempty" jsonschema:"description=Declaration to pull secrets from non-internal secret providers.\nReference: https://go-vela.github.io/docs/reference/yaml/secrets/#the-origin-tag"`
+		Pull   string `yaml:"pull,omitempty"   json:"pull,omitempty" jsonschema:"default=build_start,description=When to pull in secrets from storage backend."`
 	}
 
 	// Origin is the yaml representation of a method
@@ -55,6 +56,7 @@ func (s *SecretSlice) ToPipeline() *pipeline.SecretSlice {
 			Engine: secret.Engine,
 			Type:   secret.Type,
 			Origin: secret.Origin.ToPipeline(),
+			Pull:   secret.Pull,
 		})
 	}
 
@@ -94,6 +96,11 @@ func (s *SecretSlice) UnmarshalYAML(unmarshal func(interface{}) error) error {
 			secret.Type = constants.SecretRepo
 		}
 
+		// implicitly set `type` field if empty
+		if secret.Origin.Empty() && len(secret.Pull) == 0 {
+			secret.Pull = constants.SecretPullBuild
+		}
+
 		// implicitly set `pull` field if empty
 		if !secret.Origin.Empty() && len(secret.Origin.Pull) == 0 {
 			secret.Origin.Pull = constants.PullNotPresent