IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Encryption: Add support to run secrets migrations even when EE is disabled (#51705)

Browse Source 
* Encryption: Move secrets migrations into secrets.Migrator

* Encryption: Refactor secrets.Service initialization

* Encryption: Add support to run secrets migrations even when EE is disabled

* Init EE providers on-demand (only when needed)

* Add multiple tests + some adjustments

* Apply feedback
This commit is contained in:
Joan López de la Franca Beltran
2022-07-15 18:33:34 +02:00
committed by GitHub
parent a7509ba18b
commit 7b40322bbe
5 changed files with 139 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/services/secrets/migrator/migrator.go
View File

@@ -7,6 +7,7 @@ import (
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/encryption"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/secrets/manager"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/setting"
@@ -17,6 +18,7 @@ type SecretsMigrator struct {
secretsSrv *manager.SecretsService
sqlStore *sqlstore.SQLStore
settings setting.Provider
features featuremgmt.FeatureToggles
}
func ProvideSecretsMigrator(
@@ -24,16 +26,23 @@ func ProvideSecretsMigrator(
service *manager.SecretsService,
sqlStore *sqlstore.SQLStore,
settings setting.Provider,
features featuremgmt.FeatureToggles,
) *SecretsMigrator {
return &SecretsMigrator{
encryptionSrv: encryptionSrv,
secretsSrv: service,
sqlStore: sqlStore,
settings: settings,
features: features,
}
}
func (m *SecretsMigrator) ReEncryptSecrets(ctx context.Context) error {
err := m.initProvidersIfNeeded()
if err != nil {
return err
}
toReencrypt := []interface {
reencrypt(context.Context, *manager.SecretsService, *sqlstore.SQLStore)
}{
@@ -54,7 +63,25 @@ func (m *SecretsMigrator) ReEncryptSecrets(ctx context.Context) error {
return nil
}
func (m *SecretsMigrator) initProvidersIfNeeded() error {
if m.features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption) {
logger.Info("Envelope encryption is not enabled but trying to init providers anyway...")
if err := m.secretsSrv.InitProviders(); err != nil {
logger.Error("Envelope encryption providers initialization failed", "error", err)
return err
}
}
return nil
}
func (m *SecretsMigrator) RollBackSecrets(ctx context.Context) error {
err := m.initProvidersIfNeeded()
if err != nil {
return err
}
toRollback := []interface {
rollback(context.Context, *manager.SecretsService, encryption.Internal, *sqlstore.SQLStore, string) bool
}{