Skip to content

refactor(jans-pycloudlib): remove legacy compression support for external secrets#14432

Open
iromli wants to merge 5 commits into
mainfrom
cn-ext-secrets
Open

refactor(jans-pycloudlib): remove legacy compression support for external secrets#14432
iromli wants to merge 5 commits into
mainfrom
cn-ext-secrets

Conversation

@iromli

@iromli iromli commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Prepare


Description

Remove deprecated secrets/configmaps compression for Google and AWS secrets manager. The last supported version is v1.0.11.

Target issue

closes #14391

Implementation Details


Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

  • Bug Fixes
    • Removed the deprecated CN_GOOGLE_SECRET_MANAGER_PASSPHRASE from container defaults and environment-variable documentation across supported images, Helm values, and the Kubernetes External Secrets example.
    • Fixed an incorrect default string for the Consul port in the cloudtools documentation.
  • Documentation
    • Refreshed Google Secret Manager environment-variable guidance to use the current CN_GOOGLE_SECRET_VERSION_ID / CN_GOOGLE_SECRET_NAME_PREFIX settings.
  • Breaking Changes
    • Legacy compressed/encrypted secret payload formats are no longer supported for AWS and Google secrets; secrets must use the current JSON payload format.

…rnal secrets

Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli iromli self-assigned this Jun 24, 2026
@mo-auto mo-auto added comp-jans-pycloudlib kind-enhancement Issue or PR is an enhancement to an existing functionality labels Jun 24, 2026
@mo-auto

mo-auto commented Jun 24, 2026

Copy link
Copy Markdown
Member

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The pull request removes the Google Secret Manager passphrase from schema, Docker defaults, documentation, and examples. It also drops legacy compression and decryption handling from AWS and Google secret helpers and returns assembled JSON directly.

Changes

Secret configuration cleanup

Layer / File(s) Summary
Schema and example
charts/janssen/values.schema.json, docs/janssen-server/kubernetes-ops/external-secrets-configmaps.md
The Google secret configuration schema and the Kubernetes override example no longer include cnGoogleSecretManagerPassPhrase.
Image env defaults
docker-jans-*/Dockerfile
The container image ENV blocks remove CN_GOOGLE_SECRET_MANAGER_PASSPHRASE across the Janssen Dockerfiles.
Environment variable docs
docker-jans-*/README.md, docker-jans-cloudtools/README.md
The READMEs remove the passphrase entry from the environment-variable lists; docker-jans-cloudtools/README.md also updates the Google Secret Manager variable names and defaults.

Secret payload refactor

Layer / File(s) Summary
AWS payload decoding
jans-pycloudlib/jans/pycloudlib/secret/aws_secret.py
AwsSecret.get_all() removes lzma handling and now decodes the assembled payload directly with json.loads(...).
Google secret setup
jans-pycloudlib/jans/pycloudlib/secret/google_secret.py
GoogleSecret removes legacy compression and decryption imports, docstring variables, initialization, and helper methods.
Google payload decoding
jans-pycloudlib/jans/pycloudlib/secret/google_secret.py
GoogleSecret.get_all() now returns json.loads(payload) after assembly, and _maybe_legacy_payload(...) is removed.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The cloudtools README also fixes an unrelated corrupted Consul port line, which is outside the compression-removal scope. Remove the unrelated Consul port text cleanup or split it into a separate PR if it is intentional.
Docstring Coverage ⚠️ Warning Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: removing legacy compression support from external secrets.
Linked Issues check ✅ Passed The jans-pycloudlib changes remove legacy lzma-based handling in both AWS and Google secret code, matching issue #14391.
Description check ✅ Passed The PR description matches the template with issue link, summary, and checklist items, and only the implementation-details section is left minimal.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cn-ext-secrets

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@iromli iromli had a problem deploying to integration-tests June 26, 2026 20:09 — with GitHub Actions Failure
@iromli iromli had a problem deploying to integration-tests June 26, 2026 20:09 — with GitHub Actions Failure
@iromli iromli marked this pull request as ready for review June 26, 2026 20:19
@iromli iromli requested a review from moabu as a code owner June 26, 2026 20:19

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
docker-jans-cloudtools/README.md (1)

23-23: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix corrupted default value for CN_CONFIG_CONSUL_PORT.

Line 23 shows 85appVersion: "1.13.0" where the port default should be 8500. The corrupted string appears to be a merge or template artifact.

📝 Proposed fix
- - `CN_CONFIG_CONSUL_PORT`: port of Consul (default to `85appVersion: "1.13.0"`).
+ - `CN_CONFIG_CONSUL_PORT`: port of Consul (default to `8500`).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker-jans-cloudtools/README.md` at line 23, Fix the corrupted default for
CN_CONFIG_CONSUL_PORT in the README so it shows the intended Consul port value
instead of the merged artifact text. Update the documentation entry for
CN_CONFIG_CONSUL_PORT in the README content to use the correct default of 8500,
and remove the stray appVersion text so the config description is clean and
consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker-jans-cloudtools/README.md`:
- Around line 49-57: Remove the duplicate Google Secret Manager environment
variable documentation in the README and keep the more accurate
`CN_GOOGLE_SECRET_VERSION_ID` and `CN_GOOGLE_SECRET_NAME_PREFIX` entries that
match `google_secret.py`; update the env var list so each variable appears only
once, with the Janssen-specific wording and `jans-secret` note preserved, and
delete the earlier duplicate descriptions to avoid conflicting guidance.

---

Outside diff comments:
In `@docker-jans-cloudtools/README.md`:
- Line 23: Fix the corrupted default for CN_CONFIG_CONSUL_PORT in the README so
it shows the intended Consul port value instead of the merged artifact text.
Update the documentation entry for CN_CONFIG_CONSUL_PORT in the README content
to use the correct default of 8500, and remove the stray appVersion text so the
config description is clean and consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 317e152f-215d-4034-bf6f-aa1acb0cb76d

📥 Commits

Reviewing files that changed from the base of the PR and between e997cb0 and af60a1b.

📒 Files selected for processing (22)
  • charts/janssen/values.schema.json
  • docker-jans-auth-server/Dockerfile
  • docker-jans-auth-server/README.md
  • docker-jans-casa/Dockerfile
  • docker-jans-casa/README.md
  • docker-jans-cloudtools/Dockerfile
  • docker-jans-cloudtools/README.md
  • docker-jans-config-api/Dockerfile
  • docker-jans-config-api/README.md
  • docker-jans-configurator/Dockerfile
  • docker-jans-configurator/README.md
  • docker-jans-fido2/Dockerfile
  • docker-jans-fido2/README.md
  • docker-jans-link/Dockerfile
  • docker-jans-link/README.md
  • docker-jans-persistence-loader/Dockerfile
  • docker-jans-persistence-loader/README.md
  • docker-jans-scim/Dockerfile
  • docker-jans-scim/README.md
  • docs/janssen-server/kubernetes-ops/external-secrets-configmaps.md
  • jans-pycloudlib/jans/pycloudlib/secret/aws_secret.py
  • jans-pycloudlib/jans/pycloudlib/secret/google_secret.py
💤 Files with no reviewable changes (19)
  • docker-jans-link/Dockerfile
  • docker-jans-configurator/README.md
  • docker-jans-link/README.md
  • docker-jans-scim/README.md
  • docker-jans-auth-server/README.md
  • docker-jans-configurator/Dockerfile
  • docker-jans-fido2/README.md
  • docker-jans-config-api/Dockerfile
  • charts/janssen/values.schema.json
  • docker-jans-cloudtools/Dockerfile
  • docker-jans-fido2/Dockerfile
  • docker-jans-persistence-loader/README.md
  • docker-jans-config-api/README.md
  • docker-jans-scim/Dockerfile
  • docker-jans-casa/README.md
  • docker-jans-auth-server/Dockerfile
  • docker-jans-casa/Dockerfile
  • docker-jans-persistence-loader/Dockerfile
  • docs/janssen-server/kubernetes-ops/external-secrets-configmaps.md

Comment thread docker-jans-cloudtools/README.md Outdated
Signed-off-by: iromli <isman.firmansyah@gmail.com>
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 26, 2026
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

refactor(jans-pycloudlib): remove legacy compression support for external secrets

2 participants