Skip to content

feat: secrets management admin UI #105953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 54 commits into from
Closed

feat: secrets management admin UI #105953

wants to merge 54 commits into from
+2,285 −0

Conversation

w1kman
Copy link
Contributor

@w1kman w1kman commented May 23, 2025
edited
Loading

image

What is this feature?

UI for secrets management (see PR#97837)

image

image

image

image

Note: Client-side validation of form values (based on SecureValue spec)

Why do we need this feature?

For users to be able to create, read, update, and delete secrets.

Who is this feature for?

Currently, admin users only

Special notes for your reviewer:

To test, you can make run on this branch, with custom.ini settings:

app_mode = development 

[feature_toggles]
grafanaAPIServerWithExperimentalAPIs = true
grafanaAPIServerEnsureKubectlAccess = true
secretsManagementAppPlatform = true

Considerations for further development:

  • Make use of createdBy/modifiedBy (user id) (e.g. hardlink to users/edit/<uid>
  • Consider splitting up RegExp validation to be able to be more specific with error messages
  • Polling interval for pending secrets should probably have an incremental delay (currently 500ms, which is fine as long as we are on a happy path).
  • Investigate pagination of list API

Please check that:

  • It works as expected from a user's perspective.
  • If this is a pre-GA feature, it is behind a feature toggle.
  • The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

w1kman and others added 30 commits February 11, 2025 21:02
@w1kman
feat: secret management draft ui
0c00291 
Simple implementation (WIP) of UI with in-memory stubs.
@w1kman @macabu
feat: secret management draft ui
e6f9897 
Simple implementation (WIP) of UI with in-memory stubs.
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
ace8519 
…gement-admin-ui

# Conflicts:
#	public/app/core/reducers/root.ts
@w1kman @macabu
fix: optimistic update of local store
fc79679 
API currently doesn't report back with a pending/progress state while a secret is being provisioned.
@w1kman
fix: optimistic update of local store
a040d19 
API currently doesn't report back with a pending/progress state while a secret is being provisioned.
@w1kman
fix: copy button paddings and margins
956df8a
@w1kman @macabu
fix: copy button paddings and margins
aa3b2ff
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
ac58054 
…gement-admin-ui

# Conflicts:
#	public/app/core/reducers/root.ts
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
330935c 
…gement-admin-ui
@w1kman
fix: update external resource spec
6f3ba7f 
`audiences` => `decrypters`
@w1kman @macabu
fix: update external resource spec
c35c300 
`audiences` => `decrypters`
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
fc5ef77 
…gement-admin-ui
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
3d288b6 
…gement-admin-ui
@w1kman
add allowed list of descrypters
1540179 
- Also removed the possibility to enter custom values.
@w1kman @macabu
add allowed list of descrypters
aaaf860 
- Also removed the possibility to enter custom values.
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
b665671 
…gement-admin-ui
@macabu
SecretsManagement: update allowed decrypters constant (and default ke…
15c8e7a 
…eper)
@w1kman
Merge remote-tracking branch 'origin/w1kman/secrets-management-admin-…
d89a140 
…ui' into w1kman/secrets-management-admin-ui

# Conflicts:
#	public/app/features/secrets-management/components/SecretForm.tsx
#	public/app/features/secrets-management/constants.ts
@w1kman
fix: build issues
8936f50 
- invalid import (`@grafana/ui/`)
- "missing" `Prop` export from `@grafana/ui/Input`
@w1kman
update ui to handle label/value for decrypters
7f11f26 
- update `fill` for delete button in `SecretItem`
- turn off autocomplete for secret value
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
a49523e 
…gement-admin-ui
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
e3b2c27 
…gement-admin-ui
@w1kman
migrate to RTK query (wip)
095b7b7
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
aa424ba 
…gement-admin-ui
@w1kman
refactor/update secrets management
ab77457 
- add /admin/secrets to `api.go`
- add/update translations
- replace secret value input with textarea
@w1kman
add labels to secret form
d7d985c
@w1kman
add util function for invalid field detection
8907ad3
@w1kman
update breakpoint for wrap detection
2e4c03e
@macabu
SecureValues: Update decrypter format to get rid of actor_ prefix (#1…
8420d6d 
…05747)
@w1kman
update translation for secrets and add tests
5c03e13 
- `SecretValueInput.tsx`
- `SecretsSearchEmptyState.tsx`
- `SecretList.tsx`
- `SecretsEmptyState.tsx`
- `SecretItem.tsx`
@w1kman w1kman requested review from a team and grafanabot as code owners June 9, 2025 14:17
@w1kman w1kman requested review from aocenas and Clarity-89 and removed request for a team June 9, 2025 14:17
@w1kman w1kman marked this pull request as draft June 11, 2025 09:33
@w1kman
Copy link
Contributor Author

w1kman commented Jun 11, 2025

I'd missed the betterer step - converting to draft while fixing.

w1kman
w1kman commented Jun 11, 2025
View reviewed changes
Copy link
Contributor Author

@w1kman w1kman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-review attempt no.2 ✅

@w1kman w1kman marked this pull request as ready for review June 11, 2025 11:00
@danielkenlee
Copy link
Contributor

danielkenlee commented Jun 18, 2025
edited
Loading

Hi @w1kman - I checked out the branch w1kman/secrets-management-admin-ui and created a couple of secrets. I noticed it changed the name after clicking create. Have you encountered this before?
image

@w1kman
Copy link
Contributor Author

w1kman commented Jun 18, 2025

the name after clicking create. Have you encountered this before?

Yeah, if the name is empty, the backend will assign a random name. I will take a look.

@w1kman w1kman requested a review from a team as a code owner June 18, 2025 15:56
@w1kman
Copy link
Contributor Author

w1kman commented Jun 18, 2025

I noticed it changed the name after clicking create. Have you encountered this before?

I've pushed a fix for the random name, as well as an update on handling secret updates and translation dependencies.

@danielkenlee
Copy link
Contributor

Hi Thomas, I've completed testing on all the functionality of the page. This has been documented here: Grafana Secrets management UI - PR review

Almost everything is working as expected! :) I have a couple of follow up items here:

  1. Investigate search input problem. The search bar doesn’t accept “-” character to be included in the search term.
  2. The secure value input seems to accept a LOT of text. Check if we have size limits on the input on the frontend.

w1kman added 2 commits June 24, 2025 08:31
@w1kman
Merge branch 'secret-service/feature-branch' into w1kman/secrets-mana…
9f93dbd 
…gement-admin-ui
@w1kman
fix change requests
efd4d92 
- Delete secret modal: copy updated (see Miro).
- Improve search filter interactions and capabilities
- Improve name validation regexp (check last char to be alphanumeric)
- Improve label.(name|value) validation regexp (check last char to be alphanumeric)
- Add secure value limit (24kb)
@w1kman
Copy link
Contributor Author

w1kman commented Jun 24, 2025

@danielkenlee

Investigate search input problem. The search bar doesn’t accept “-” character to be included in the search term.

The FilterInput had a prop called escapeRegex which was set to true by default. I've turned off that feature, as well as added the same type of transformation to the filter value before the list of secrets is filtered (e.g. "My cool filter" -> "my-cool-filter")

The secure value input seems to accept a LOT of text. Check if we have size limits on the input on the frontend.

I've talked to @macabu about this. 24kb seems to be the lowest limit (Azure) we need to support. I've updated the client validation for the value to have a max length of 24576 chars

@github-actions GitHub Actions
Copy link
Contributor

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update or ping for review. Thank you for your contributions!

@github-actions github-actions bot added the stale Issue with no recent activity label Jul 26, 2025
@macabu
Copy link
Contributor

macabu commented Jul 28, 2025

Closing as stale! This moved!

@macabu macabu closed this Jul 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grafanabot grafanabot Awaiting requested review from grafanabot grafanabot is a code owner

@aocenas aocenas Awaiting requested review from aocenas aocenas is a code owner automatically assigned from grafana/grafana-frontend-platform

@Clarity-89 Clarity-89 Awaiting requested review from Clarity-89 Clarity-89 is a code owner automatically assigned from grafana/grafana-frontend-platform

Assignees
No one assigned
Labels
area/backend area/frontend stale Issue with no recent activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@w1kman @danielkenlee @macabu @dana-axinte