Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add policy to exclude env vars. #2993

Merged
merged 15 commits into from
Dec 31, 2024
Merged

Add policy to exclude env vars. #2993

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
3083aec
Add policy to exclude env vars.
meowjesty Dec 25, 2024
6182f1f
docs
meowjesty Dec 25, 2024
4aac118
changelog
meowjesty Dec 25, 2024
864de0b
fix tests
meowjesty Dec 25, 2024
eb375db
Make policy optional for backwards compat.
meowjesty Dec 26, 2024
14f79ff
typo
meowjesty Dec 26, 2024
391cb02
other typo
meowjesty Dec 26, 2024
49194e7
default serde and more explicit docs
meowjesty Dec 30, 2024
ba65c1c
fix mismatching policy
meowjesty Dec 31, 2024
dd4844e
make it look more like config
meowjesty Dec 31, 2024
5d13e17
make it pub
meowjesty Dec 31, 2024
5683027
fix test
meowjesty Dec 31, 2024
c3b4035
better docs
meowjesty Dec 31, 2024
cb96699
better docs due
meowjesty Dec 31, 2024
5a13f57
rustfmt
meowjesty Dec 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/+103-policy-env-vars-exclude.added.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add policy to exclude env vars.
24 changes: 24 additions & 0 deletions mirrord/operator/src/crd/policy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
use std::collections::HashSet;

use kube::CustomResource;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
Expand Down Expand Up @@ -51,6 +53,17 @@ pub struct MirrordPolicySpec {
// TODO: make the k8s list type be set/map to prevent duplicates.
/// List of features and operations blocked by this policy.
pub block: Vec<BlockedFeature>,

/// List of environment variables that should be excluded when using mirrord.
///
/// These environment variables won't be retrieved from the target even if the user
/// specifies them in their `feature.env.include` mirrord config.
///
/// Variable names can be matched using `*` and `?` where `?` matches exactly one occurrence of
/// any character and `*` matches arbitrary many (including zero) occurrences of any character,
/// e.g. `DATABASE_*` will match `DATABASE_URL` and `DATABASE_PORT`.
#[serde(default)]
pub env_vars_exclude: HashSet<String>,
}

/// Custom cluster-wide resource for policies that limit what mirrord features users can use.
Expand Down Expand Up @@ -78,6 +91,17 @@ pub struct MirrordClusterPolicySpec {
// TODO: make the k8s list type be set/map to prevent duplicates.
/// List of features and operations blocked by this policy.
pub block: Vec<BlockedFeature>,

/// List of environment variables that should be excluded when using mirrord.
///
/// These environment variables won't be retrieved from the target even if the user
/// specifies them in their `feature.env.include` mirrord config.
///
/// Variable names can be matched using `*` and `?` where `?` matches exactly one occurrence of
/// any character and `*` matches arbitrary many (including zero) occurrences of any character,
/// e.g. `DATABASE_*` will match `DATABASE_URL` and `DATABASE_PORT`.
#[serde(default)]
pub env_vars_exclude: HashSet<String>,
meowjesty marked this conversation as resolved.
Show resolved Hide resolved
Razz4780 marked this conversation as resolved.
Show resolved Hide resolved
}

#[test]
Expand Down
7 changes: 7 additions & 0 deletions tests/src/operator/policies.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@ fn block_steal_without_qualifiers() -> PolicyTestCase {
target_path: None,
selector: None,
block: vec![BlockedFeature::Steal],
env_vars_exclude: Default::default(),
},
),
service_b_can_steal: No,
Expand All @@ -145,6 +146,7 @@ fn block_steal_with_path_pattern() -> PolicyTestCase {
target_path: Some("*-service-a*".into()),
selector: None,
block: vec![BlockedFeature::Steal],
env_vars_exclude: Default::default(),
},
),
service_b_can_steal: EvenWithoutFilter,
Expand All @@ -163,6 +165,7 @@ fn block_unfiltered_steal_with_path_pattern() -> PolicyTestCase {
target_path: Some("*-service-a*".into()),
selector: None,
block: vec![BlockedFeature::StealWithoutFilter],
env_vars_exclude: Default::default(),
},
),
service_b_can_steal: EvenWithoutFilter,
Expand All @@ -181,6 +184,7 @@ fn block_unfiltered_steal_with_deployment_path_pattern() -> PolicyTestCase {
target_path: Some("deploy/*service-a*".into()),
selector: None,
block: vec![BlockedFeature::StealWithoutFilter],
env_vars_exclude: Default::default(),
},
),
service_a_can_steal: OnlyWithFilter,
Expand All @@ -205,6 +209,7 @@ fn block_steal_with_label_selector() -> PolicyTestCase {
)])),
}),
block: vec![BlockedFeature::Steal],
env_vars_exclude: Default::default(),
},
),
service_b_can_steal: EvenWithoutFilter,
Expand All @@ -230,6 +235,7 @@ fn block_steal_with_unmatching_policy() -> PolicyTestCase {
)])),
}),
block: vec![BlockedFeature::Steal],
env_vars_exclude: Default::default(),
},
),
service_b_can_steal: EvenWithoutFilter,
Expand Down Expand Up @@ -370,6 +376,7 @@ pub async fn create_cluster_policy_and_try_to_mirror(
target_path: Some("*-service-a*".into()),
selector: None,
block: vec![BlockedFeature::Mirror],
env_vars_exclude: Default::default(),
},
),
)
Expand Down
Loading