feat: Changes to support external credentials in envgene#1375
Open
tesmarishy wants to merge 1 commit into
Open
feat: Changes to support external credentials in envgene#1375tesmarishy wants to merge 1 commit into
tesmarishy wants to merge 1 commit into
Conversation
tesmarishy
requested review from
GlimmerCape,
chethana-shastry-p,
miyamuraga and
popoveugene
as code owners
miyamuraga
reviewed
May 25, 2026
| ) | ||
| return sort_data | ||
|
|
||
| def validateSchema(yaml_data, schema_path): |
Collaborator
There was a problem hiding this comment.
we already have https://github.com/tesmarishy/qubership-envgene/blob/1272b27df2c78f865d17bd5f987e13301640a856/python/envgene/envgenehelper/yaml_helper.py#L406. no need to produce identical methods
miyamuraga
reviewed
May 25, 2026
| schema_data = json.load(f) | ||
| logger.debug(f'Checking yaml with schema: {schema_path}') | ||
| jsonschema.validate(yaml_data, schema_data) | ||
| schema_data = validateSchema(yaml_data, schema_path) |
Collaborator
There was a problem hiding this comment.
schema validation should remain separate method and not be encapsulated in sorting or sm else
miyamuraga
reviewed
May 25, 2026
|
|
||
| def build_env(env_name, env_instances_dir, parameters_dir, env_template_dir, resource_profiles_dir, | ||
| env_specific_resource_profile_map, all_instances_dir, render_context, templates_dirs=None): | ||
| env_specific_resource_profile_map, all_instances_dir, render_context, templates_dirs=None, isExternalCredEnv=False): |
Collaborator
There was a problem hiding this comment.
pls no some camel case in python
miyamuraga
reviewed
May 25, 2026
| if cred_map.get("$type") != "credRef": | ||
| return None | ||
| cred_id = cred_map.get("credId") | ||
| if not cred_id or not str(cred_id).strip(): |
Collaborator
There was a problem hiding this comment.
why cast to string? it may be worth falling if what is passed is not of correct str type(int)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Summary
Provide a concise description of what this pull request does and why it is needed.
Changes in EnvGene to support management of Credentials that reside in external secret stores.
Issue
Link to the issue(s) this PR addresses (e.g.,
Fixes #123orCloses #456). If no issue exists, explain why this change is necessary.No Github issue.
EnvGene cannot be used in projects where policy prohibits storing secrets in Git, even in encrypted form.
It is necessary to extend EnvGene to support management of Credentials that reside in external secret stores.
Breaking Change?
No
If yes, describe the breaking change and its impact (e.g., API changes, behavior changes, or required updates for users).
Scope / Project
Specify the component, module, or project area affected by this change (e.g.,
docs,actions,workflows).Env builder job.
Implementation Notes
Provide details on how the change was implemented, including any technical considerations, trade-offs, or notable design decisions. Leave blank if not applicable.
If the external_credential_template field is present in the environment template file, load the referenced template, render it, and mark the environment as an External Credential Environment.(render_config_env.py).
In cloud_passport.py, give precedence to the SECRET_FLOW parameter from cloud.yml over the value defined in the cloud passport.
Existing logic extracts credential IDs from patterns such as:
${creds.get("app-sidecar-token").} for MaaS, DBaaS, Consul, and similar credentials. Enhance the logic to additionally support the following structure:
$type: "credRef"
credId: "app-dbaas-cred"
property: "username"
Extract credId from this structure. If this format is not present, fall back to the existing macro-based extraction logic (cloud_passport.py).
While processing credentials from entities, if an environment is identified as an external-only environment (based on point 1), collect and validate((create_credentials.py):
o Credential IDs referenced from MaaS, DBaaS, Consul, etc.
o Parameters using the credRef structure
Validate the final credentials.yml to ensure no mixed credential types are present.
Tests / Evidence
Describe how the changes were verified, including:
Testing is done in Instance pipeline .
Additional Notes
Include any extra information, such as:
Leave blank if not applicable.