New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DigitalOcean backend: fix authToken, add IPv6 support. #629
Conversation
Currently, the DigitalOcean backend ignores the `digitalOcean.authToken` config variable completely. Additionally, the DigitalOcean backend requires that the `DIGITAL_OCEAN_AUTH_TOKEN` environment variable is always set for any NixOps operation on a DigitalOcean target (`create`, `deploy`, etc.), because it does not persist the auth token value in the NixOps state database. This change modifies the DigitalOcean backend so that it treats auth tokens like the EC2 backend treats AWS access keys; namely: - Use the `digitalOcean.authToken` value, if specified in the deployment configuration. If both this value and the `DIGITAL_OCEAN_AUTH_TOKEN` environment variable are set, the backend prefers the `digitalOcean.authToken` value; this behavior is consistent with the EC2 backend and its preference of the `ec2.accessKeyId` value over the `AWS_ACCESS_KEY_ID` environment variable. - When a DigitalOcean droplet is created, if neither auth token value is set, the backend aises an exception, rather than attempting to create the droplet anyway and failing with an error from the DigitalOcean API. - Upon successful creation of a droplet, persist the DigitalOcean auth token used to create it in the NixOps state database. This happens regardless of whether the token was provided via the `digitalOcean.authToken` deployment configuration, or the `DIGITAL_OCEAN_AUTH_TOKEN` environment variable. Based on a review of the code in the EC2 backend, I believe this behavior is consistent with the EC2 backend, though I have not used the EC2 backend myself to verify this. - If the user does not set `digitalOcean.authToken` and uses the environment variable instead, the environment variable is only ever used to create the droplet; from that point on, NixOps will use the token value that was persisted in the NixOps state database. Again, based on a review of the code in the EC2 backend, I believe this behavior is consistent with the EC2 backend.
Could someone who uses the NixOps EC2 backend please confirm my belief that the EC2 backend persists AWS access keys to the NixOps database? I don't use it, myself, but unless I missed something in the EC2 code, I don't see how it could behave otherwise. |
Also, I want to go on record as saying that I don't think it's a very good idea to persist AWS access keys or DigitalOcean API tokens to the NixOps state database! But that's a decision for the NixOps team to make -- this change only intends to make the DigitalOcean backend behave like the EC2 one already does with respect to those keys/tokens. |
I've added support for IPv6 in a separate commit, but the diffs overlap, so I'll wait until the authToken fix is accepted before submitting the IPv6 enhancement. edit: ugh, looks like GitHub has automatically merged the IPv6 commit into the authToken commit. :\ |
I've edited the title of this PR to reflect that GitHub has merged the 2 commits. I'm happy to resubmit them one-by-one if that's preferable. |
cc @teh |
Thanks! I'm not 100% sure what to do here. ec2 stores the acces key but not the secret. And the DO token is both access key and secret rolled into one. I think I'd prefer to keep it out of the state file, but I also understand the argument for keeping it in. @dhess what's your use case for carrying around the DO auth token in the state file? |
As I mentioned above, I would prefer not to keep the token in the state file. I think it's a bad idea. But in this patch, I was only using the configuration mechanisms that NixOps supports out-of-the-box. Unless I'm missing something, once you set a property on a MachineState from the declarative configuration, it gets persisted to the state file. You make a good point about how AWS separates the authentication into separate ID and key pieces, and that NixOps doesn't persist the AWS key in the NixOps database. That is because the key never needs to be set in the NixOps declarative configuration, only the ID. Luckily Anyway, here is how I think the DigitalOcean backend should work: you set the Unfortunately, I did not see any examples of this behavior in the existing backends. There appears to be no way to set a backend property with Is there were a way to create a property that is always loaded from the declarative configuration and never stored in the database? If not, it would be useful for cases like this. |
At any rate, now that you've pointed out that the EC2 backend does not persist your EC2 secret to the state database, I think this patch is probably a bad idea and I am going to close it, unless someone objects. |
OK, I'm closing this PR. It's a bad idea. Better to wait for a proper fix than to dump DigitalOcean auth tokens into the NixOps state database. |
I can't see anything obvious but then I'm struggling a bit with nixops internals :/ Thanks for doing the work in any case! |
Currently, the DigitalOcean backend ignores the
digitalOcean.authToken
config variable completely.Additionally, the DigitalOcean backend requires that the
DIGITAL_OCEAN_AUTH_TOKEN
environment variable is always set for anyNixOps operation on a DigitalOcean target (
create
,deploy
, etc.),because it does not persist the auth token value in the NixOps state
database.
This change modifies the DigitalOcean backend so that it treats auth
tokens like the EC2 backend treats AWS access keys; namely:
Use the
digitalOcean.authToken
value, if specified in thedeployment configuration. If both this value and the
DIGITAL_OCEAN_AUTH_TOKEN
environment variable are set, the backendprefers the
digitalOcean.authToken
value; this behavior isconsistent with the EC2 backend and its preference of the
ec2.accessKeyId
value over theAWS_ACCESS_KEY_ID
environmentvariable.
When a DigitalOcean droplet is created, if neither auth token value
is set, the backend aises an exception, rather than attempting to
create the droplet anyway and failing with an error from the
DigitalOcean API.
Upon successful creation of a droplet, persist the DigitalOcean auth
token used to create it in the NixOps state database. This happens
regardless of whether the token was provided via the
digitalOcean.authToken
deployment configuration, or theDIGITAL_OCEAN_AUTH_TOKEN
environment variable. Based on a reviewof the code in the EC2 backend, I believe this behavior is
consistent with the EC2 backend, though I have not used the EC2
backend myself to verify this.
If the user does not set
digitalOcean.authToken
and uses theenvironment variable instead, the environment variable is only ever
used to create the droplet; from that point on, NixOps will use the
token value that was persisted in the NixOps state database. Again,
based on a review of the code in the EC2 backend, I believe this
behavior is consistent with the EC2 backend.