@fcatteau Yup I think that makes sense, thanks!
Verified on staging.
| Delete secret from table | Delete secret from details page |
|---|---|
We can close this issue as well. cc @fcatteau
@iamricecake Hm, so currently we show the list of secrets that needs rotation as a collapsible inside an alert message. I think if we paginated the list, we'd need a different UI for it. Might be a question for @jtouchstone1. cc @ahuss7
In the long run, we probably should paginate it though. I think the current UI for the secrets needing rotations list doesn't really lend itself for long lists.
@ahuss7 Generally we'd still have someone else do the maintainer review even if a maintainer did the initial review, unless the MR is small and trivial enough to merge straight away.
If the merge request is small and straightforward to review, you can skip the reviewer step and directly ask a maintainer.
In this case, I think it's good to have another maintainer to review the code
Thanks @ahuss7, great work!
For future implementations, I think we can split MRs like this into multiple smaller ones to make them easier for the reviewer to go through them, especially if they don't have context or are not familiar with this part of the codebase yet. For example, we can break this down to:
Though I completely understand we're trying to minimize merge conflicts and get this in for this milestone.
@shampton
This MR adds the secret rotation reminder UI for group secrets, including the status indicators showing when a secret is overdue or approaching rotation date, and the banner on the secrets page listing secrets that require attention. It extends the existing UI built for project secrets to now apply to group secrets as well. Much of the UI was already context agnostic so things like the secrets rotation alert banner did not need to be updated.
Main changes include:
groupSecretsNeedingRotation
rotationIntervalDays fieldrotationInfo
The frontend MR that introduces the ability to fetch group secret details: !222583
The backend MR that introduces the various resolvers needed for group secret rotation reminders: !225935
The MR that added the UI elements for project secret rotation reminders: !207183
The secret list page showing the warning banner and the status indicator on a specific secret:
Expanding the warning banner details shows the specific secrets with clickable link to its detail page:
The secret detail page showing the warning banner and the rotation field is rendered:
group_secrets_manager feature flag./path-to-group-or-project/secrets/new to create a secret, set the rotation value to the minimum 7 daysgdk rails console, then run the following:rotation_info = SecretsManagement::GroupSecretRotationInfo.find_by(secret_name: 'your-secret-name')
rotation_info.update(next_reminder_at: 3.days.from_now)Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #577483
@fcatteau Alright, works for me! I'll close this issue then
Thanks @fcatteau. I just tested on staging but it looks like the changes aren't deployed there yet. I'll try again tomorrow morning and verify the changes. We can probably close both issues afterwards
@dpisek Great catch, thank you! I'll update this in my next MR.
@dpisek Thanks, I actually thought about refactoring this and creating a wrapper template as well. But we've been getting more user feedback from the Closed Beta as we get the (project) secrets manager tested, and there's a high possibility that we'll overhaul our UI in the future. So I postponed doing any refactoring for now until we've gathered more insight and decide on the final design changes.
@jrandazzo @fcatteau We're not showing the createdAt field yet on the frontend. We'll implement it next, so let's not close this issue yet until that's implemented.
@thomasrandolph Are you free to do the maintainer review for this MR?
Previously the UI for the secrets manager was not checking nor handling if OpenBao was having issues, meaning a user would be able to proceed with actions like trying to create a secret when failure was guaranteed. Likewise on the project/group settings page, a user would try to enable or disable the secrets manager by interacting with the toggle, but with an unhealthy OpenBao instance, it would cause the toggle to enter an indefinite loading state.
The solution proposed is to use a OpenBao health query to figure out if the instance is healthy, and if it is not healthy, then make the UI reflect that in the following ways:
On the secrets manager page,
On the project/group settings page,
Issue/design: #582363
There are 2 other MRs currently working around this area that may conflict !226431 and !222583
SECRETS MANAGER PAGE:
Before: showed generalized error message, action button to create secret is still present
After: more specific error messaging, action button hidden
SETTINGS PAGE:
Before: all actions available even though it would fail
if a user interacted with the toggle, it would get stuck in this infinite loading state
After: permissions table hidden, error message displayed, toggle disabled
secrets_manager and group_secrets_manager feature flags.gdk stop openbao to simulate a downed instanceEvaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #582363
'SecretsManager|Rails failed to connect with OpenBao. Secrets are unavailable at this time. Please try again later.',Should this use a period? cc @marcel.amirault