sts-sponsors team mailing list archive

[Igor Brovtsin <mp+433603@xxxxxxxxxxxxxxxxxx>]

Igor Brovtsin has proposed merging ~igor-brovtsin/maas:vault-migrate-save-metadata into maas:master.

Commit message:
fix(vault): `migrate` command now creates `VaultSecret` metadata objects

Requested reviews:
  MAAS Maintainers (maas-maintainers)

For more details, see:
https://code.launchpad.net/~igor-brovtsin/maas/+git/maas/+merge/433603

This MP adds `VaultSecret` objects creation to `migrate` script. Also, UT `test_migrate_secrets_actually_migrates_secrets` now checks whether secrets were migrated or not by using fake vault client and the actual logic of `SecretManager`, since `migrate` script uses `VaultClient` directly.
-- 
Your team MAAS Committers is subscribed to branch maas:master.

diff --git a/src/maasserver/management/commands/config_vault.py b/src/maasserver/management/commands/config_vault.py
index 6619345..3734d4f 100644
--- a/src/maasserver/management/commands/config_vault.py
+++ b/src/maasserver/management/commands/config_vault.py
@@ -21,6 +21,7 @@ from maasserver.models import (
     Node,
     RegionController,
     Secret,
+    VaultSecret,
 )
 from maasserver.utils import synchronised
 from maasserver.utils.orm import transactional, with_connection
@@ -147,10 +148,14 @@ class Command(BaseCommand):
         """Handles the actual secrets migration"""
 
         print("Migrating secrets")
+        metadata = []
         for secret in Secret.objects.all():
             client.set(secret.path, secret.value)
+            metadata.append(VaultSecret(path=secret.path, deleted=False))
             secret.delete()
 
+        VaultSecret.objects.bulk_create(metadata, ignore_conflicts=True)
+
         # Enable Vault cluster-wide
         Config.objects.set_config("vault_enabled", True)
 
diff --git a/src/maasserver/management/commands/pytest_tests/test_config_vault.py b/src/maasserver/management/commands/pytest_tests/test_config_vault.py
index 69ff26f..23333ea 100644
--- a/src/maasserver/management/commands/pytest_tests/test_config_vault.py
+++ b/src/maasserver/management/commands/pytest_tests/test_config_vault.py
@@ -12,7 +12,9 @@ from maasserver.models import (
     RegionControllerProcess,
     Secret,
 )
+from maasserver.secrets import GLOBAL_SECRETS, SecretManager
 from maasserver.testing.factory import factory
+from maasserver.testing.vault import FakeVaultClient
 from maasserver.vault import VaultError, WrappedSecretError
 from provisioningserver.utils.env import MAAS_ID
 
@@ -205,19 +207,17 @@ class TestMigrateSecrets:
         assert Config.objects.get_config("vault_enabled", False)
 
     def test_migrate_secrets_actually_migrates_secrets(self):
-        client = MagicMock()
-        client.set.return_value = None
-
+        client = FakeVaultClient()
         secrets = []
-        for i in range(3):
-            path = factory.make_name("path")
+        for path in GLOBAL_SECRETS:
             value = factory.make_name("value")
-            Secret(path=path, value=value).save()
+            Secret(path=f"global/{path}", value=value).save()
             secrets.append((path, value))
 
         Command()._migrate_secrets(client)
+        secret_manager = SecretManager(client)
         for path, value in secrets:
-            assert (path, value) in [c[1] for c in client.set.mock_calls]
+            assert value == secret_manager.get_composite_secret(path)
         assert not Secret.objects.exists()
 
     def test_handle_migrate_stops_when_vault_is_enabled(self, mocker):