The presence of the `next-rotation-on` tag should be verified only for secrets in the manifest
See original GitHub issueProblem
When we’re validating secrets, we load the list of secrets from the manifest. Then we get all the secrets from all associated KeyVaults so that we can print extraneous secrets. For each KeyVault secret, we verify that it has the next-rotation-on
tag and if doesn’t, we log an error regardless of whether the secret is or is not in the original manifest. This ends up flagging over a 100 secrets currently which might be in the KeyVault for some time already and were never rotated with the tooling before.
Proposal
We should only verify secrets from the manifest. E.g. we could move the logging statement out but I have no knowledge about whether this should apply to all secrets or just the KeyVault ones…
Something like this - move the logging from within the ListSecretsAsync
method to the foreach
:
Alternatively, we could also pass the the list of secret names to the ListSecretsAsync
and make it compare against that.
Related: https://github.com/dotnet/arcade-services/pull/2234
Release Note Description
Not release not worthy
Issue Analytics
- State:
- Created 6 months ago
- Comments:5 (5 by maintainers)
Top GitHub Comments
Yup this was resolved in https://github.com/dotnet/arcade-services/pull/2238, sorry for not putting it here earlier
P.S. @premun you write really nice issues.