support secrets in upgrade jobs

EDITD · Dec 1, 2023 · f8d5110 · f8d5110
1 parent d819d2b
commit f8d5110
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 5 deletions.
diff --git a/kubetools/kubernetes/config/__init__.py b/kubetools/kubernetes/config/__init__.py
@@ -287,12 +287,17 @@ def generate_kubernetes_configs_for_project(
             job_spec.get('envvars'),
         )
 
+        service_account_name = job_spec.get('serviceAccountName', None)
+        secrets = job_spec.get('secrets', None)
+
         jobs.append(make_job_config(
             job_spec,
             app_name=project_name,
             labels=job_labels,
             annotations=base_annotations,
             envvars=job_envvars,
+            service_account_name=service_account_name,
+            secrets=secrets,
         ))
 
     cronjobs = []

diff --git a/kubetools/kubernetes/config/job.py b/kubetools/kubernetes/config/job.py
@@ -3,6 +3,7 @@
 
 from .container import make_container_config
 from .util import copy_and_update
+from .volume import make_secret_volume_config
 
 
 def make_job_config(
@@ -13,6 +14,8 @@ def make_job_config(
     envvars=None,
     job_name=None,
     container_name="upgrade",
+    service_account_name=None,
+    secrets=None,
 ):
     '''
     Builds a Kubernetes job configuration dict.
@@ -68,13 +71,30 @@ def make_job_config(
         envvars=envvars,
         labels=labels,
         annotations=annotations,
+        secrets=secrets,
     )
 
     # Completions default to 1, same as Kubernetes
     completions = config.get('completions', 1)
     # Parallelism defaults to completions, also as Kubernetes
     parallelism = config.get('parallelism', completions)
 
+    template_spec = {
+        'restartPolicy': 'Never',
+        'containers': [container],
+    }
+
+    if service_account_name is not None:
+        template_spec['serviceAccountName'] = service_account_name
+
+    if secrets is not None:
+        kubernetes_volumes = []
+        for secret_name, secret in secrets.items():
+            kubernetes_volumes.append(make_secret_volume_config(
+                secret_name, secret,
+            ))
+        template_spec['volumes'] = kubernetes_volumes
+
     job_config = {
         # Normal Kubernetes job config
         'apiVersion': 'batch/v1',
@@ -92,10 +112,7 @@ def make_job_config(
                 'metadata': {
                     'labels': labels,
                 },
-                'spec': {
-                    'restartPolicy': 'Never',
-                    'containers': [container],
-                },
+                'spec': template_spec,
             },
         },
     }

diff --git a/tests/configs/basic_app/kubetools.yml b/tests/configs/basic_app/kubetools.yml
@@ -8,7 +8,6 @@ containerContexts:
     ports:
       - 80
 
-
 upgrades:
   - name: Upgrade the database
     containerContext: generic-context

diff --git a/tests/configs/k8s_with_mounted_secrets/k8s_jobs.yml b/tests/configs/k8s_with_mounted_secrets/k8s_jobs.yml
@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations: {app.kubernetes.io/managed-by: kubetools, description: 'Run: [''generic-command'']'}
+  labels: {job-id: UUID, kubetools/project_name: generic-app-with-secrets,
+    kubetools/role: job}
+  name: UUID
+spec:
+  completions: 1
+  parallelism: 1
+  selector: {job-id: UUID, kubetools/project_name: generic-app-with-secrets,
+    kubetools/role: job}
+  template:
+    metadata:
+      labels: {job-id: UUID, kubetools/project_name: generic-app-with-secrets,
+        kubetools/role: job}
+    spec:
+      serviceAccountName: generic-account
+      containers:
+      - chdir: /
+        command: [generic-command]
+        env:
+        - {name: KUBE, value: 'true'}
+        - {name: KUBE_JOB_ID, value: UUID}
+        image: generic-image
+        imagePullPolicy: Always
+        name: upgrade
+        resources:
+          requests:
+            memory: "1Gi"
+        volumeMounts:
+        - {name: secret-volume, mountPath: /mnt/upgrades-secrets-store, readonly: True}
+      restartPolicy: Never
+      volumes:
+      - name: secret-volume
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: secrets
diff --git a/tests/configs/k8s_with_mounted_secrets/kubetools.yml b/tests/configs/k8s_with_mounted_secrets/kubetools.yml
@@ -8,6 +8,18 @@ containerContexts:
     ports:
       - 80
 
+upgrades:
+  - name: Upgrade the database
+    containerContext: generic-context
+    command: [generic-command, generic-arg]
+    serviceAccountName: generic-account
+    secrets:
+      secret-volume:
+        mountPath: /mnt/upgrades-secrets-store
+        secretProviderClass: secrets
+    resources:
+      requests:
+        memory: "1Gi"
 
 dependencies:
   generic-dependency-with-secrets:
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,7 +8,6 @@ containerContexts: @@
         ports:
           - 80
     upgrades:
       - name: Upgrade the database
         containerContext: generic-context
@@ Expand Down @@