Part of https://github.com/gocd/gocd/issues/5830
Summary
Provide API to support secrets_config CRUD operations.
Tasks
- [x] Implementation https://github.com/gocd/gocd/pull/6061
- [x] Documentation
Objects
SecretConfigurationObject
| Attribute | Type | Description |
|:---|:---:|:---|
| id | String | The identifier of the secret config. |
| pluginId | String | The plugin identifier of the secret config. |
| description | String | Optional description for the secret config. |
| rules | Array[Rule] | Optional rules for the secret config. |
| properties | Array[ConfigProperty] | The list of configuration properties that represent the configuration of a secret config. |
Rule
| Attribute | Type | Description |
|:---|:---:|:---|
| allow | Array[Directive] | Optional allow directives for the secret config. |
| deny | Array[Directive] | Optional deny directives for the secret config |
Directive
Directive defines where secret_params associated with a secret_config can be accessed
| Attribute | Type | Description |
|:---|:---:|:---|
| action | String | Action for the rule. |
| type | String | Type of the resource e.g. PiplineGroup |
| resource | String | Resource identifier |
ConfigProperty
| Attribute | Type | Description |
|:---|:---:|:---|
| key | String | The name of the property key. |
| value | String | The value of the property. You MUST specify one of value or encrypted_value. |
| encrypted_value | String | The encrypted value of the property. You MUST specify one of value or encrypted_value. |
API endpoints
Get ALL Secret Config
GET /go/api/secret_configsResponse
```json { "_links": { "self": { "href": "https://ci.example.com/go/api/secret_configs" }, "doc": { "href": "https://api.gocd.org/#secret-configs" }, "find": { "href": "https://ci.example.com/go/api/secret_configs/:config_id" } }, "_embedded": { "secret_configs": [ { "_links": { "self": { "href": "https://ci.example.com/go/api/secret_configs/unit-tests" }, "doc": { "href": "https://api.gocd.org/#secret-configs" }, "find": { "href": "https://ci.example.com/go/api/secret_configs/:config_id" } }, "id": "unit-tests", "plugin_id": "cd.go.secrets.file-based-plugin", "properties": [ { "key": "secrets-file-path", "value": "/home/temp/secrets.dat" }, { "key": "cipher-key-path", "value": "/home/temp/secret-key.aes" }, { "key": "password", "encypted_value": "/home/temp/secret-key.aes" } ], "rules": [ { "directive": "allow", "action": "refer", "type": "PipelineGroup", "resource": "DeployPipelines" }, { "directive": "deny", "action": "refer", "type": "PipelineGroup", "resource": "TestPipelines" } ] } ] } } ```
Get a secret config
GET /go/api/secret_configs/:config_idResponse
{ "_links": { "self": { "href": "https://ci.example.com/go/api/secret_configs/unit-tests" }, "doc": { "href": "https://api.gocd.org/#secret-configs" }, "find": { "href": "https://ci.example.com/go/api/secret_configs/:config_id" } }, "id": "unit-tests", "plugin_id": "cd.go.secrets.file-based-plugin", "properties": [ { "key": "secrets-file-path", "value": "/home/temp/secrets.dat" }, { "key": "cipher-key-path", "value": "/home/temp/secret-key.aes" } ], "rules": [ { "directive": "allow", "action": "refer", "type": "PipelineGroup", "resource": "DeployPipelines" }, { "directive": "deny", "action": "refer", "type": "PipelineGroup", "resource": "TestPipelines" } ] }Create secrets_config
POST /go/api/secret_configsRequest body
{ "id": "secrets_id", "description": "This is used to lookup for secrets for the team X.", "plugin_id": "cd.go.secrets.file-based-plugin", "properties": [ { "key": "secrets_file_path", "value": "/home/secret/secret.dat" }, { "key": "cipher_file_path", "value": "/home/secret/secret-key.aes" }, { "key": "secret_password", "encrypted_value": "0a3ecba2e196f73d07b361398cc9d08b" } ... ], "rules": [ { "directive": "allow", "action": "refer", "type": "PipelineGroup", "resource": "DeployPipelines" }, { "directive": "deny", "action": "refer", "type": "PipelineGroup", "resource": "TestPipelines" } ] }Response: Created Secret Config
{ "_links": { "self": { "href": "https://ci.example.com/go/api/secret_configs/unit-tests" }, "doc": { "href": "https://api.gocd.org/#secret-configs" }, "find": { "href": "https://ci.example.com/go/api/secret_configs/:config_id" } }, "id": "unit-tests", "plugin_id": "cd.go.secrets.file-based-plugin", "properties": [ { "key": "secrets-file-path", "value": "/home/temp/secrets.dat" }, { "key": "cipher-key-path", "value": "/home/temp/secret-key.aes" } ], "rules": [ { "directive": "allow", "action": "refer", "type": "PipelineGroup", "resource": "DeployPipelines" }, { "directive": "deny", "action": "refer", "type": "PipelineGroup", "resource": "TestPipelines" } ] }Update a secret config
PUT /go/api/secret_configs/:config_idRequest body
{ "plugin_id": "cd.go.secrets.file-based-plugin", "properties": [ { "key": "secrets_file_path", "value": "/home/secret/updated-secret.dat" }, { "key": "cipher_file_path", "value": "/home/secret/updated-secret-key.aes" } ] }Response: Updated Secret Config
{ "_links": { "self": { "href": "https://ci.example.com/go/api/secret_configs/unit-tests" }, "doc": { "href": "https://api.gocd.org/#secret-configs" }, "find": { "href": "https://ci.example.com/go/api/secret_configs/:config_id" } }, "id": "unit-tests", "plugin_id": "cd.go.secrets.file-based-plugin", "properties": [ { "key": "secrets_file_path", "value": "/home/secret/updated-secret.dat" }, { "key": "cipher_file_path", "value": "/home/secret/updated-secret-key.aes" } ] }Delete a secret config
DELETE /go/api/secret_configs/:config_idResponse
{ "message": "secret config 'unit-test' was deleted successfully." }
maheshp
All 4 comments
@vishaldevgire - Rules JSON structure seems confusing
Proposed in above comment
{
...
"rules": {
"allow": [
{
"action": "refer",
"type": "PipelineGroup",
"resource": "DeployPipelines"
}
],
"deny": [
{
"action": "refer",
"type": "PipelineGroup",
"resource": "TestPipelines"
}
]
}
}
It looks like there are only two rules allow and deny and both the rules are having multiple configurations in it.
@vishaldevgire - WDYT about following json response -
{
...
"rules": [
{
"directive": "allow",
"action": "refer",
"type": "PipelineGroup",
"resource": "DeployPipelines"
},
{
"directive": "deny",
"action": "refer",
"type": "PipelineGroup",
"resource": "TestPipelines"
}
]
}
/cc @maheshp @gocd/committers
bdpiprava
on 25 Mar 2019
@vishaldevgire - Rules JSON structure seems confusing
Proposed in above comment
{ ... "rules": { "allow": [ { "action": "refer", "type": "PipelineGroup", "resource": "DeployPipelines" } ], "deny": [ { "action": "refer", "type": "PipelineGroup", "resource": "TestPipelines" } ] } }It looks like there are only two rules
allowanddenyand both the rules are having multiple configurations in it.@vishaldevgire - WDYT about following json response -
{ ... "rules": [ { "directive": "allow", "action": "refer", "type": "PipelineGroup", "resource": "DeployPipelines" }, { "directive": "deny", "action": "refer", "type": "PipelineGroup", "resource": "TestPipelines" } ] }/cc @maheshp @gocd/committers
We have changed the JSON for rules to what you suggested.
vishaldevgire
on 3 Apr 2019
@vishaldevgire - Please can you update it in https://github.com/gocd/gocd/issues/5835#issue-409119752.
bdpiprava
on 3 Apr 2019
Verified on 19.6.0 (9478-5f827efbc8001e16417fe13503f5e240d7ed060d)
rajiesh
on 16 Jul 2019
Related issues
bzcpla
路
3Comments
arvindsv
路
3Comments
dpsenner
路
4Comments
arvindsv
路
6Comments
chriswhelix
路
5Comments
Most helpful comment
@vishaldevgire - Rules JSON structure seems confusing
It looks like there are only two rules
allowanddenyand both the rules are having multiple configurations in it.@vishaldevgire - WDYT about following json response -
/cc @maheshp @gocd/committers