clients
clients copied to clipboard
bitwarden
DEVOPS-1743 Web Vault Migration workflow improvements
Type of change
- [ ] Bug fix
- [ ] New feature development
- [X] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
Objective
- Use
azcopyto sync the compile Web Vault code to the Storage Account to avoid downtime. Provide logic for theaz storage blob syncfunctionality as a "feature flag" as well.- Auth
azcopyinformation: https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-authorize-azure-active-directory#authorize-a-service-principal-by-using-a-client-secret
- Auth
- Add
Debug Modeto help teams troubleshoot deployment and sync process.
Screenshots
The workflow testing is working as follows:
Successful Tests:
- USQA: https://github.com/bitwarden/clients/actions/runs/8044061739
- EUQA: https://github.com/bitwarden/clients/actions/runs/8043878078
- USPROD: https://github.com/bitwarden/clients/actions/runs/8043793789
We are using EUQA and we are not getting 404s errors anymore.
Code changes
- deploy-web: Deployment commands and GitHub Workflow readability.
Before you submit
- Please add unit tests where it makes sense to do so (encouraged but not required)
- If this change requires a documentation update - notify the documentation team
- If this change has particular deployment requirements - notify the DevOps team
- Ensure that all UI additions follow WCAG AA requirements
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 24.82%. Comparing base (
d3c222d) to head (a21c5a5).
:exclamation: Current head a21c5a5 differs from pull request most recent head 55a226b. Consider uploading reports for the commit 55a226b to get more accurate results
Additional details and impacted files
@@ Coverage Diff @@
## main #7966 +/- ##
=======================================
Coverage 24.82% 24.82%
=======================================
Files 2230 2230
Lines 65474 65474
Branches 12359 12359
=======================================
Hits 16252 16252
Misses 47897 47897
Partials 1325 1325
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Checkmarx One – Scan Summary & Details – a7d3176d-afbe-4b52-b677-71d4598999a4
No New Or Fixed Issues Found
azcopy sync isn't in preview. What version of azcopy are you using? I have 10.23.0 and I don't see that message.
Since this fix also applies to the production Web Vaults, we cannot use
previewcommands. Microsoft states that those commands can change at any time, including complete removal.
@vgrassia , I have updated the workflow to use azcopy by default. Leaving the extra work for az storage blob sync as a "feature flag" https://github.com/bitwarden/clients/commit/ab0bf5c0c967a962048cdbee8d15027ecb918437
@alex8bitw help us a lot on figuring out the best approach to authenticate using azcopy
I am a concerned around the feature toggle as it introduces code rot that isn't timeboxed. From what I can tell, there is no planned date for when
az storage blob syncis GA and some unknown around the value that it provides overazcopy. Everything else looks good though.
I understand your concern. With az storage blob sync we can use the same credentials that we employ in Login to Azure step, whereas with azcopy we had to create a new mechanism with Service Principal Name as mentioned here. So, the auth is straightforward with az storage and less cumbersome in terms of credentials management from CloudOps standpoint. Due to the usage of azcopy they have to manage two separate credentials, the one for Azure Login to help use retrieve the secrets from KV and the SPN for azcopy