feat: worker dynamic secret/resource resolution for resource association#107
Closed
pyramation wants to merge 3 commits into
Closed
feat: worker dynamic secret/resource resolution for resource association#107pyramation wants to merge 3 commits into
pyramation wants to merge 3 commits into
Conversation
- Add SecretsLoader to @constructive-io/module-loader that queries config_secrets_module from metaschema and resolves secrets by name within a namespace scope (TTL-cached, multi-database aware) - Extend FunctionContext with namespace, buckets, and apis fields for resource association (secrets go into env, not a new field) - Add resolveAndInjectSecrets to ComputeWorker (compute-worker): reads required_secrets/required_configs from the function definition, resolves values from DB, injects into process.env before dispatch - Add secret resolution to legacy Worker (job/worker) for backward compatibility with the new secret resolution flow - Create stub function handlers: - namespace-provision: validates namespace_name, inserts created event - function-provision: validates service_url, checks required secrets - function-sync-resources: resolves all declared resources, logs warnings Ref: constructive-io/constructive-planning#1062
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
…date-only - Remove fake InsertNamespaceEvent mutation from namespace-provision - Simplify all three stubs to validate + log + return (no DB calls) - Change ComputeWorker from resolveAndInjectSecrets → validateSecrets: checks existence only, does not inject into process.env - Remove unused SecretsLoader from legacy worker (no function defs)
…lution - Use metaschema.schema_and_table() for correct schema/table name resolution - Replace fabricated secrets_table_name/decrypted_value with real columns - Add two-step namespace resolution: name → UUID via namespace_module - Query secrets by namespace_id (UUID FK), not namespace_name (doesn't exist) - Decrypt secrets via pgp_sym_decrypt(value, key_id::text) - Add namespace_name to PlatformFunctionDefinition type and discovery COLUMNS - Use fn.namespace_name instead of fn.namespace_id in validateSecrets
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds runtime support for dynamic secret and resource resolution in the compute worker, enabling functions to declare
required_secrets/required_configsin their definitions and have them validated from the DB at dispatch time.Core changes:
SecretsLoader(packages/module-loader/src/secrets-loader.ts) — new domain loader that queriesmetaschema_modules_public.config_secrets_moduleto discover the secrets table, then resolves secrets by name + namespace. TTL-cached, multi-database aware, follows the same pattern asBillingLoader/ComputeModuleLoader.ComputeWorker.validateSecrets()— called indoWork()after function discovery but before dispatch. Checks that declaredrequired_secrets/required_configsexist in the config_secrets_module; logs warnings for missing entries. Does not inject intoprocess.env— actual secret delivery to Knative services is handled by the provisioning pipeline via K8s secrets.FunctionContextextended with optionalnamespace,buckets,apisfields for future resource association phases. Secrets continue to flow viacontext.env(populated by Knative env vars, not worker injection).Three stub function handlers for the provisioning pipeline (validate + log only, no DB calls):
namespace-provision— validatesnamespace_nameformatfunction-provision— validates function_id, logs service_url and secret countfunction-sync-resources— validates resource declarations, logs summaryRef: constructive-io/constructive-planning#1062
Link to Devin session: https://app.devin.ai/sessions/815b2f2fc57441b0ae3430add6e90a70
Requested by: @pyramation