Skip to content

Opaque secrets#3674

Merged
vigoo merged 15 commits into
mainfrom
opaque-secrets
Jun 29, 2026
Merged

Opaque secrets#3674
vigoo merged 15 commits into
mainfrom
opaque-secrets

Conversation

@vigoo

@vigoo vigoo commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Resolves #3529

@vigoo vigoo requested a review from a team June 28, 2026 07:35
@netlify

netlify Bot commented Jun 28, 2026

Copy link
Copy Markdown

Deploy Preview for golemcloud canceled.

Name Link
🔨 Latest commit ecf4a5f
🔍 Latest deploy log https://app.netlify.com/projects/golemcloud/deploys/6a42accf6e7df300085a226a

@github-actions

github-actions Bot commented Jun 28, 2026

Copy link
Copy Markdown

📖 Docs preview: https://docs-7ckcyiiso-golem-cloud.vercel.app

Built from commit ecf4a5f61a86b23c441e321f1749d17a1ef99d51 by docs.yaml.

Ok(None) => Err(SecretRevealError::VersionNotFound(
entry.pinned_revision.get(),
)),
Err(error) => Err(SecretRevealError::Internal(error.to_string())),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it okay to persist here potentially transient errors? Can these be retried later?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should be retried with the active retry policy and eventually fail permanently. let me check if this is the case.

Ok(results)
}

async fn get_revision(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intentional (probably yes), that this does not filter on deleted apps / envs (AFAIR we usually check those too)?
If yes, maybe it worth mentioning this, or check what naming pattern we use in similar cases where we allow seeing deleted entities.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes because we are not storing any secrets now in the oplog - so we have to be able to resolve arbitrary old ones during replay.

@@ -0,0 +1,68 @@
import fs from 'node:fs';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need patching? Is this a wasm-rquickjs missing things, or something else?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i have no idea what this is and definitely should not exist 😱

JOIN accounts a ON a.account_id = ap.account_id
JOIN agent_secret_revisions secr ON secr.agent_secret_id = sec.agent_secret_id AND secr.revision_id = $4
WHERE sec.environment_id = $1 AND sec.agent_secret_id = $2 AND sec.path = $3 AND secr.deleted = FALSE
AND ($5 OR (sec.deleted_at IS NULL AND e.deleted_at IS NULL AND ap.deleted_at IS NULL AND a.deleted_at IS NULL))

@noise64 noise64 Jun 29, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in general we switched from this style to use two static selects, or a query builder, to avoid accidental planner complexities

@noise64 noise64 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added minor comment on the sql fix, otherwise looks good

@vigoo vigoo enabled auto-merge (squash) June 29, 2026 17:43
@vigoo vigoo merged commit cc5c646 into main Jun 29, 2026
53 checks passed
@vigoo vigoo deleted the opaque-secrets branch June 29, 2026 18:02
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

New secret host API with opaque secret transfer over RPC

2 participants