Move Mirroring Configuration to Individual Repositories

[minwoox]

Motivation:
Mirroring configurations should belong to the repository where the mirroring is executed to ensure proper ownership and management alignment.

Modifications:

• Implemented migration job that relocated mirroring configurations to their respective repositories.
  • Updated Mirroring REST API to reflect these changes.
• Updated credential IDs in mirroring configurations to use a full resource ID format:
  • Example for a project credential: projects/foo/credentials/foo-credential.
  • Example for a repository credential: projects/foo/repos/bar/credentials/bar-credential.
• Adjusted role requirements for credential management:
  • Project OWNER: Can create, update, and delete credentials.
  • Project MEMBER: Can read credentials.
  • Removed dependency on Meta repository access roles.

Result:

• Mirroring configurations are now repository-specific.
• Dependency on Meta repository access roles has been eliminated.

[minwoox]

Will continue after #1085 is merged. 😉

[codecov]

Codecov Report

Attention: Patch coverage is 78.86905% with 71 lines in your changes missing coverage. Please review.

Project coverage is 70.37%. Comparing base (f4dda40) to head (a8188b2).
Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
...nal/mirror/MigratingMirrorToRepositoryService.java	72.94%	17 Missing and 6 partials ⚠️
...rp/centraldogma/internal/api/v1/MirrorRequest.java	61.90%	15 Missing and 1 partial ⚠️
...traldogma/server/internal/mirror/MirrorRunner.java	68.75%	8 Missing and 2 partials ⚠️
...rnal/storage/repository/DefaultMetaRepository.java	90.58%	6 Missing and 2 partials ⚠️
...rver/internal/storage/repository/MirrorConfig.java	77.14%	3 Missing and 5 partials ⚠️
...ldogma/server/internal/api/MirroringServiceV1.java	87.50%	2 Missing and 1 partial ⚠️
...erver/internal/mirror/MirrorSchedulingService.java	57.14%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1086      +/-   ##
============================================
+ Coverage     70.29%   70.37%   +0.08%     
- Complexity     4284     4443     +159     
============================================
  Files           427      442      +15     
  Lines         17258    17882     +624     
  Branches       1915     1974      +59     
============================================
+ Hits          12131    12585     +454     
- Misses         4077     4240     +163     
- Partials       1050     1057       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[minwoox]

I prefer migrating without entering read-only mode because

• It's not critical if mirroring is temporarily unavailable for a minute.
• Any issues can be promptly addressed if they arise.

If this is acceptable, I will remove these lines of code. Please let me know your opinion.

[ikhoon]

Agreed.

[jrhee17]

Understood the changes

[jrhee17]

Suggested change

repository.parent().name();

[ikhoon]

While reviewing this PR, I found out two bugs in DefaultMirrorAccessControler. Fixed at 5cae78a (#1086)

[ikhoon]

I couldn't fully review this PR. I will do another round tomorrow.

[ikhoon]

Currently, credentials are only exposed to owners in the UI. Do you want to allow members to read credentials? It may not be harmful since all sensitive information is masked.

[minwoox]

We need to allow the admin of each repository to read the credentials. Since it's read, I thought we could give the read permission to all members.

[ikhoon]

• What do you think of making Credential return the resource name instead?
  The ownership of the resource belongs to Credential so it would make more sense to delegate it such as Credential.resourceName() or Credential.name()?
  https://google.aip.dev/122#fields-representing-resource-names

[minwoox]

Alright, let me try that. 😉

[minwoox]

@ikhoon
I tried that approach, but it seems to make the logic and codebase more complicated.
What do you think of just removing credential.id() and using crendential.name() as we do for representing an xDS resource?

[minwoox]

Never mind. Let me just add the resourceName field to the classes. 😉

[ikhoon]

To apply the same approach as above here

Suggested change

	mirrorKey.projectName + '/' + mirrorKey.mirrorId);
	mirrorKey.repoName + '/' + mirrorKey.mirrorId);

[ikhoon]

nit:

Suggested change

	if (Strings.isNullOrEmpty(c.credentialId())) {
	if (c.credentialId().isEmpty()) {

[ikhoon]

Suggestion) This logic seems complicated to be included in a data class. What do you think of extracting the methods to MirrorConverter?

[ikhoon]

Should we skip migration for a MirrorConfig whose the credential ID starts with projects/? Because we don't rollback if the migration process is halt somehow. This migration could be partially applied.

[ikhoon]

Suggestion) What do you think of adding a new resource repository layer to find a credential from a given ID? This logic could be simplified as we don't have to care if the ID is a repo credential.

interface MetaResourceRepository {
    T find(String resourceName, Class<T> clazz);
}

Credential credential = repositoryRepository.find(mirror.credentialId(), Credential.class);

[minwoox]

I've used this logic not to fetch the resource one by one when multiple credentials are needed to be found. Let me encapsulate the logic into another class then.

[ikhoon]

Agreed.