[Phase 2] Complete the provider configuration setup #2090
Conversation
…tion (#2097) make updates to all auth logins and fix build run go mod tidy register all auth logins to test build add all auth login blocks and match schema implementations set default for azure scope address todos - remove commented code; neither are read from env vars - add validators
fairclothjm
force-pushed
the
VAULT-21288/auth-login-fwprovider
branch
from
3799f9a to
fe6136b
Compare
There was a problem hiding this comment.
Left some very minor suggestions and questions. Overall this is looking good!
I do wonder if there is a clean way to define the schema attributes of the various auth login methods in a single location instead of having them duplicated for both sdkv2/fw providers. That said, it might not be worth it if the change frequency is low for them. We can document that changes must match in each provider.
fairclothjm
force-pushed
the
VAULT-21288/auth-login-fwprovider
branch
from
70ea03b to
9f607e2
Compare
|
@austingebauer Thanks for the review!
I think we could do that if we wrote a wrapper to convert to either sdkv2 or Framework but I am not convinced that it would be worth it. I do think the change frequency is pretty low. I am happy to discuss more if you like. Also, I am working on adding tests to assert the multiplexing schemas match. |
|
@fairclothjm - Thanks! I'm good with having the fields defined in both places provided the test can make developers aware of diffs. If it becomes a pain, we can write that conversion code at a later date 👍 |
| Required: true, | ||
| DefaultFunc: schema.EnvDefaultFunc(consts.EnvVarTokenFilename, nil), | ||
| Type: schema.TypeString, | ||
| Optional: true, |
There was a problem hiding this comment.
Pretty sure this is still required.
There was a problem hiding this comment.
Yes, you are correct. I tested it and the behavior is the same whether we set this to Optional or Required because we assert the required fields in checkRequiredFields. I do think it makes it confusing to not set it as required here though, so I will revert these Schema changes for any required Auth Login fields.
There was a problem hiding this comment.
Correction to the above which is not entirely true. For fields that we previously set from a DefaultFunc and env vars we cannot set them as Required anymore. This is because we are handling setting them from env vars after the Provider has verified all required fields are set. So, for example, if we set this field to Required we would get a Error: Missing required argument error.
There was a problem hiding this comment.
I will add test cases to capture this behavior for the fields that are set via env vars.
| @@ -0,0 +1,39 @@ | |||
| package client | |||
There was a problem hiding this comment.
This code looks pretty similar to what we have in the internal/provider package, would it be possible to colocate it there?
There was a problem hiding this comment.
Yes, we could move it there. Initially it was doing more things that included Framework only types so I created a separate package. However, this is only intended for resources implemented with the TF Plugin Framework so I kept it in the internal/framework package for that reason. I thought it would be good to have a package that contains framework-only client helpers. I don't feel too strongly about it either way though.
| @@ -142,6 +144,18 @@ func (p *fwprovider) Schema(ctx context.Context, req provider.SchemaRequest, res | |||
| }, | |||
| }, | |||
| }, | |||
| "auth_login": AuthLoginGenericSchema(), | |||
There was a problem hiding this comment.
Is there a reason we can't use the auth login registry as before? That solved some issues where not all expected AuthLogin were properly set.
There was a problem hiding this comment.
Good question, we might need to use that. I will look into it. Thanks!
There was a problem hiding this comment.
I took a closer look at this again.
These lines define the schema for the Framework Provider (which must match 1-1 with the sdkv2 Provider). The auth login registry is still being used by the Framework Provider. The entrypoint for the auth login registry is in setClient:
As such, there should be no behavior change for the Framework Provider since we are sharing the auth login code with the sdkv2 provider. Please let me know if you need more clarification!
fairclothjm
changed the title
There was a problem hiding this comment.
Left a few minor comments but generally LGTM. Nice job on this @fairclothjm!
| // TestAccMuxServer uses ExternalProviders (vault) to generate a state file | ||
| // with a previous version of the provider and then verify that there are no | ||
| // planned changes after migrating to the Framework. |
| @@ -0,0 +1,61 @@ | |||
| package fwprovider | |||
There was a problem hiding this comment.
nit: sorry I forgot to add the copywrite headers for these! Definitely can let the copywrite bot take care of these before we merge to main, but just wanted to add a comment here to keep track. not a blocker
| @@ -671,12 +673,32 @@ func TestNewProviderMeta(t *testing.T) { | |||
| }, | |||
| }, | |||
| }, | |||
| env: map[string]string{ | |||
There was a problem hiding this comment.
nit: I confirmed this with commenting out the env in this test and the test passes so we're definitely good here, but curious if it's worth it to add a test case for the default behavior where no env is passed
There was a problem hiding this comment.
I think we are testing that in several test cases above this one
…mplementation (#2067) * implement the framework provider * setup provider server factory * setup framework provider schema * handle defaults in configure * [Phase 2] Complete the provider configuration setup (#2090) * setup framework provider schema * handle defaults in configure * WIP: handle auth login methods * [Phase 2] Include Auth Login blocks in multiplexed Provider configuration (#2097) make updates to all auth logins and fix build run go mod tidy register all auth logins to test build add all auth login blocks and match schema implementations set default for azure scope address todos - remove commented code; neither are read from env vars - add validators * remove set_namespace_from_token field * add custom path validator * configure namespace for vault client * review comments * add muxed provider acc tests * use consts, set required fields and update tests * add tests for multi envs and fix bug * fix bug with overriding config val * add custom URI validator for OIDC auth * fix a few default mount types * add comments and migration state example acc test * remove dupe default entries; add validators * remove client_auth docs * add kerbos token and file path validators * don't use double pointer and remove redundant return --------- Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> --------- Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Description
Complete the provider configuration setup for the auth login methods.
This PR
Phase 2
internal/provider/auth.gofile to handle defaults and required fields since those can no longer be set on the Provider SchemasetDefaultFieldsmethodPrevious Phases
Phase 0
Phase 1
Subsequent Phases
Phase 3