SecretsManager: Introduce db migrator with keeper table (#105538)

Co-authored-by: PoorlyDefinedBehaviour <brunotj2015@hotmail.com> Co-authored-by: Leandro Deveikis <leandro.deveikis@gmail.com> Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com>
2 months ago · 6e5e133f7d
parent 06206ced68
commit 6e5e133f7d
4 changed files with 90 additions and 0 deletions
--- a/pkg/registry/apis/secret/contracts/migrator.go
+++ b/pkg/registry/apis/secret/contracts/migrator.go
@ -0,0 +1,6 @@
+package contracts
+
+// SecretDBMigrator is an interface for running database migrations related to secrets management.
+type SecretDBMigrator interface {
+	RunMigrations() error
+}
--- a/pkg/registry/apis/secret/register.go
+++ b/pkg/registry/apis/secret/register.go
@ -61,6 +61,7 @@ func RegisterAPIService(
 	keeperMetadataStorage contracts.KeeperMetadataStorage,
 	accessClient claims.AccessClient,
 	accessControlService accesscontrol.Service,
+	secretDBMigrator contracts.SecretDBMigrator,
 ) (*SecretAPIBuilder, error) {
 	// Skip registration unless opting into experimental apis and the secrets management app platform flag.
 	if !features.IsEnabledGlobally(featuremgmt.FlagGrafanaAPIServerWithExperimentalAPIs) ||
@ -68,6 +69,10 @@ func RegisterAPIService(
 		return nil, nil
 	}

+	if err := secretDBMigrator.RunMigrations(); err != nil {
+		return nil, fmt.Errorf("running secret database migrations: %w", err)
+	}
+
 	if err := RegisterAccessControlRoles(accessControlService); err != nil {
 		return nil, fmt.Errorf("register secret access control roles: %w", err)
 	}
--- a/pkg/server/wire.go
+++ b/pkg/server/wire.go
@ -166,6 +166,7 @@ import (
 	legacydualwrite "github.com/grafana/grafana/pkg/storage/legacysql/dualwrite"
 	secretdatabase "github.com/grafana/grafana/pkg/storage/secret/database"
 	secretmetadata "github.com/grafana/grafana/pkg/storage/secret/metadata"
+	secretmigrator "github.com/grafana/grafana/pkg/storage/secret/migrator"
 	"github.com/grafana/grafana/pkg/storage/unified/resource"
 	unifiedsearch "github.com/grafana/grafana/pkg/storage/unified/search"
 	"github.com/grafana/grafana/pkg/tsdb/azuremonitor"
@ -419,6 +420,7 @@ var wireBasicSet = wire.NewSet(
 	// Secrets Manager
 	secretmetadata.ProvideSecureValueMetadataStorage,
 	secretmetadata.ProvideKeeperMetadataStorage,
+	secretmigrator.NewWithEngine,
 	secretdatabase.ProvideDatabase,
 	wire.Bind(new(secretcontracts.Database), new(*secretdatabase.Database)),
 	secretdecrypt.ProvideDecryptAuthorizer,
--- a/pkg/storage/secret/migrator/migrator.go
+++ b/pkg/storage/secret/migrator/migrator.go
@ -0,0 +1,77 @@
+package migrator
+
+import (
+	"fmt"
+
+	"github.com/grafana/grafana/pkg/infra/db"
+	"github.com/grafana/grafana/pkg/registry"
+	"github.com/grafana/grafana/pkg/registry/apis/secret/contracts"
+	"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
+	"github.com/grafana/grafana/pkg/util/xorm"
+)
+
+const (
+	TableNameKeeper = "secret_keeper"
+)
+
+type SecretDB struct {
+	engine *xorm.Engine
+}
+
+func New() registry.DatabaseMigrator {
+	return &SecretDB{}
+}
+
+func NewWithEngine(db db.DB) contracts.SecretDBMigrator {
+	return &SecretDB{engine: db.GetEngine()}
+}
+
+func (db *SecretDB) RunMigrations() error {
+	mg := migrator.NewScopedMigrator(db.engine, nil, "secret")
+
+	db.AddMigration(mg)
+
+	return mg.Start(true, 0)
+}
+
+func (*SecretDB) AddMigration(mg *migrator.Migrator) {
+	mg.AddCreateMigration()
+
+	mg.AddMigration("Initialize secrets tables", &migrator.RawSQLMigration{})
+
+	tables := []migrator.Table{}
+
+	tables = append(tables, migrator.Table{
+		Name: TableNameKeeper,
+		Columns: []*migrator.Column{
+			// Kubernetes Metadata
+			{Name: "guid", Type: migrator.DB_NVarchar, Length: 36, IsPrimaryKey: true},    // Fixed size of a UUID.
+			{Name: "name", Type: migrator.DB_NVarchar, Length: 253, Nullable: false},      // Limit enforced by K8s.
+			{Name: "namespace", Type: migrator.DB_NVarchar, Length: 253, Nullable: false}, // Limit enforced by K8s.
+			{Name: "annotations", Type: migrator.DB_Text, Nullable: true},
+			{Name: "labels", Type: migrator.DB_Text, Nullable: true},
+			{Name: "created", Type: migrator.DB_BigInt, Nullable: false},
+			{Name: "created_by", Type: migrator.DB_Text, Nullable: false},
+			{Name: "updated", Type: migrator.DB_BigInt, Nullable: false}, // Used as RV (ResourceVersion)
+			{Name: "updated_by", Type: migrator.DB_Text, Nullable: false},
+
+			// Spec
+			{Name: "description", Type: migrator.DB_NVarchar, Length: 253, Nullable: false}, // Chosen arbitrarily, but should be enough.
+			{Name: "type", Type: migrator.DB_Text, Nullable: false},
+			// Each keeper has a different payload so we store the whole thing as a blob.
+			{Name: "payload", Type: migrator.DB_Text, Nullable: true},
+		},
+		Indices: []*migrator.Index{
+			{Cols: []string{"namespace", "name"}, Type: migrator.UniqueIndex},
+		},
+	})
+
+	// Initialize all tables
+	for t := range tables {
+		mg.AddMigration("drop table "+tables[t].Name, migrator.NewDropTableMigration(tables[t].Name))
+		mg.AddMigration("create table "+tables[t].Name, migrator.NewAddTableMigration(tables[t]))
+		for i := range tables[t].Indices {
+			mg.AddMigration(fmt.Sprintf("create table %s, index: %d", tables[t].Name, i), migrator.NewAddIndexMigration(tables[t], tables[t].Indices[i]))
+		}
+	}
+}