Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype: Add the ability to ignore changes to volatile provider configuration (WIP) #1149

Closed
wants to merge 1 commit into from

Conversation

flostadler
Copy link

@flostadler flostadler commented Jun 17, 2024

The password and username of the registryAuth config can be volatile for many cloud registries. For AWS ECR you need to exchange AWS credentials for short lived tokens to authenticate to the registry.
This will lead to perma-diffs in the provider config.

This change adds a prototype to explore whether it's viable to ignore certain volatile fields of the registryAuth configuration.

fixes #952

The password and username of the registryAuth config can be volatile
for many cloud registries. For AWS ECR you need to exchange AWS
credentials for short lived tokens to authenticate to the registry.
This will lead to perma-diffs in the provider config.

This change adds the ability to ignore certain volatile fields
of the registryAuth configuration.
@flostadler flostadler requested review from blampe, guineveresaenger, iwahbe and a team June 17, 2024 17:43
@flostadler flostadler self-assigned this Jun 17, 2024
Copy link

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

Maintainer note: consult the runbook for dealing with any breaking changes.

@flostadler flostadler changed the title Prototype: Add the ability to ignore changes to volatile provider configuration Prototype: Add the ability to ignore changes to volatile provider configuration (WIP) Jun 17, 2024
skipPush: true
});

const ecrProvider = new docker.Provider("ecr-provider", {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we had a permadiff before.

Comment on lines +94 to +97
var ignoreRegistryAuthChanges bool = true
if v := news["ignoreRegistryAuthChanges"]; v.HasValue() && v.IsBool() {
ignoreRegistryAuthChanges = v.BoolValue()
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We really should do type validation here. If the flag is present but not a bool (or a marker type), that should be a check failure.

If it is a marker type, say an unknown, what is the correct behavior? Can we mark this value as plain?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need to gate this behind provider config, FWIW. It's a bug fix IMO.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I was a bit overcautious with that idea. My reasoning was that it might be surprising for users that a change in provider config doesn't show an update.
But you're right, that's probably only a very small subset of users (e.g. folks configuring static credentials).

FWIW The image resource just ignores changes to username&password as well without some flag.

}

// copyMapIgnoringKeys creates a shallow copy of the given map without the specified keys that should be ignored.
func copyMapIgnoringKeys(original map[string]interface{}, ignoreKeys map[string]bool) map[string]interface{} {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes it clear that we only care if a key is present.

Suggested change
func copyMapIgnoringKeys(original map[string]interface{}, ignoreKeys map[string]bool) map[string]interface{} {
func copyMapIgnoringKeys(original map[string]interface{}, ignoredKeys map[string]struct{}) map[string]interface{} {

Comment on lines +140 to +147
err := json.Unmarshal([]byte(olds["registryAuth"].StringValue()), &oldAuthData)
if err != nil {
return false, err
}
err = json.Unmarshal([]byte(news["registryAuth"].StringValue()), &newAuthData)
if err != nil {
return false, err
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ugh... IIRC I marked #986 as blocked on pulumi/pulumi#15032 because I really, really didn't want to propagate this pattern of ingesting provider config as JSON blobs.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I must've missed that PR when I had a look at the issue. Thanks for pointing me into that direction!

pulumi/pulumi#15032 definitely seems like the better approach here. With the yaml provider behaving differently then the others (TIL!) this would end up being quite messy with the serialized json..

Do we have plans for merging that in soon? We wanted to tackle pulumi/pulumi-awsx#1203 this iteration and that depends on not having this perma-diff. But it's not worth adding even more cruft just to get it out as soon as possible IMO

@flostadler flostadler closed this Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Registry auth shows changes on every run
3 participants