Issue #3716 - NodeSecret: pattern and policy CLI checks node secret

Signed-off-by: Le Zhang <[email protected]>
open-horizon · Aug 16, 2023 · 2fbbfea · 2fbbfea
1 parent 8785933
commit 2fbbfea
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/cli/exchange/business.go b/cli/exchange/business.go
@@ -526,6 +526,7 @@ func BusinessNewPolicy() {
 		`      "serviceOrgid": "",         /* ` + msgPrinter.Sprintf("The org of the service.") + ` */`,
 		`      "serviceUrl": "",           /* ` + msgPrinter.Sprintf("The name of the service.") + ` */`,
 		`      "serviceVersionRange": "",  /* ` + msgPrinter.Sprintf("The service version range.") + ` */`,
+		`	   "enableNodeLevelSecrets": false,	/*` + msgPrinter.Sprint("Boolean value to indicate if the secrets are node level secrets.") + ` */`,
 		`      "secrets": [                /* ` + msgPrinter.Sprintf("The secret bindings.") + ` */`,
 		`        {      `,
 		`          "<service-secret-name>": "<secret-provider-secret-name>"  /* ` + msgPrinter.Sprintf("The valid formats for secret provider secret names are:") + ` */`,

diff --git a/compcheck/secretbinding_check.go b/compcheck/secretbinding_check.go
@@ -728,7 +728,11 @@ func VerifyVaultSecrets(secretBinding []exchangecommon.SecretBinding, nodeOrg st
 			if exists, err := VerifySingleVaultSecret(vaultSecretName, nodeOrg, agbotURL, vaultSecretExists, msgPrinter); err != nil {
 				ret[vaultSecretName] = err.Error()
 			} else if !exists {
-				ret[vaultSecretName] = msgPrinter.Sprintf("Secret %v does not exist in the secret manager.", vaultSecretName)
+				msg := msgPrinter.Sprintf("Secret %v does not exist in the secret manager.", vaultSecretName)
+				if sn.EnableNodeLevelSecrets {
+					msg = msgPrinter.Sprintf("Secret %v does not exist in the secret manager for neither org level or user level.", vaultSecretName)
+				}
+				ret[vaultSecretName] = msg
 			}
 		}
 	}

diff --git a/exchangecommon/secret.go b/exchangecommon/secret.go
@@ -43,11 +43,12 @@ func (w BoundSecret) IsSame(other BoundSecret) bool {
 
 // The secret binding that maps service secret names to secret manager secret names
 type SecretBinding struct {
-	ServiceOrgid        string        `json:"serviceOrgid"`
-	ServiceUrl          string        `json:"serviceUrl"`
-	ServiceArch         string        `json:"serviceArch,omitempty"`         // empty string means it applies to all arches
-	ServiceVersionRange string        `json:"serviceVersionRange,omitempty"` // version range such as [0.0.0,INFINITY). empty string means it applies to all versions
-	Secrets             []BoundSecret `json:"secrets"`                       // maps a service secret name to a secret manager secret name
+	ServiceOrgid           string        `json:"serviceOrgid"`
+	ServiceUrl             string        `json:"serviceUrl"`
+	ServiceArch            string        `json:"serviceArch,omitempty"`         // empty string means it applies to all arches
+	ServiceVersionRange    string        `json:"serviceVersionRange,omitempty"` // version range such as [0.0.0,INFINITY). empty string means it applies to all versions
+	EnableNodeLevelSecrets bool          `json:"enableNodeLevelSecrets"`        // to indicate if the secrets are node level secrets
+	Secrets                []BoundSecret `json:"secrets"`                       // maps a service secret name to a secret manager secret name
 }
 
 func (w SecretBinding) String() string {
@@ -89,6 +90,10 @@ func (w SecretBinding) IsSame(other SecretBinding) bool {
 	if w.ServiceArch != "" && other.ServiceArch != "" && w.ServiceArch != other.ServiceArch {
 		return false
 	}
+
+	if w.EnableNodeLevelSecrets != other.EnableNodeLevelSecrets {
+		return false
+	}
 	return SecretArrayIsSame(w.Secrets, other.Secrets)
 }