[Feature]: App Environment Variables should be available during staging #774
Assignees
Labels
Comments
|
So this story was making me think a bit more about how we're essentially putting secret data (service bindings often contain connection strings and passwords) into plaintext by converting them into I doubt this is the right place to do this, but one thought I had was what if we had something continuously reconciling all the Then I think with some enhancements to the Eirini LRP (make it use the k8s EnvVar type instead of this string map) you could wire that through on eirini-controller as well for running apps. |
|
I created an explicit issue for what I was talking about above ^^ It's a lower priority than some of our other stuff, but I welcome feedback on it if anyone wants to take a look. |
kieron-dev
pushed a commit
that referenced
this issue
Mar 31, 2022
Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com>
kieron-dev
pushed a commit
that referenced
this issue
Mar 31, 2022
Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com>
georgethebeatle
added a commit
that referenced
this issue
Apr 5, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
georgethebeatle
added a commit
that referenced
this issue
Apr 5, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
georgethebeatle
added a commit
that referenced
this issue
Apr 5, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created TODO: The controllers account now needs permissions to patch secrets Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
danail-branekov
added a commit
that referenced
this issue
Apr 7, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
danail-branekov
added a commit
that referenced
this issue
Apr 7, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
|
georgethebeatle
added a commit
that referenced
this issue
Apr 11, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
georgethebeatle
added a commit
that referenced
this issue
Apr 12, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
georgethebeatle
added a commit
that referenced
this issue
Apr 12, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
georgethebeatle
added a commit
that referenced
this issue
Apr 12, 2022
* App environment consists of entries in the app env secret and `VCAP_SERVICES` that is built out of app service bindings * Introduce a `env.Builder` to build the app environment which is used by the process controller and the build controller * The `env.Builder` adds the `VCAP_SERVICES` entry into the app env secret under the hood * If the app has no env secret name set, the builder would be a noop and no env would be passed to the process/build. We assume that in this case the developer does not care about the environment * If the app has an env secret name set, but the secret does not exist, we return an error as we assume that the secret should have been already created Issue: #774 Co-authored-by: Kieron Browne <kbrowne@vmware.com> Co-authored-by: Danail Branekov <danailster@gmail.com> Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Blockers/Dependencies
VCAP_SERVICES#462Background
Cloud Foundry allows developers to configure environment variables for apps and exposes them during both staging and running contexts. Additionally CF also includes any bound services under the
CF_SERVICESenv var and has its own set of additional system env vars. The scope of this story is not to backfill or set any system env vars that are missing, but to provide the same env vars that we set for running apps right now to the kpackImage.Some of the running env vars (such as
PORT) don't make sense for staging so omit those. Cross check with this table to see what existing env vars in CF for VMs are present during running vs staging.As an App Developer
I want my environment variables to be present during staging
So that any buildpacks that require environment variables have access to them
Acceptance Criteria
User-specified env vars
GIVEN I have set environment variables on my app
WHEN I run
cf pushorcf restagefor my appTHEN I see, on the kpack
Imageand buildPod, environment variables that correspond with what I've setVCAP_SERVICESenv varsNote: We did this partially in #463 via volume mounts, but did not configure
VCAP_SERVICES.GIVEN I have bound several user-provided service instances to my app
WHEN I run
cf pushorcf restagefor my appTHEN I see, on the kpack
Imageand buildPod, an environment variable calledVCAP_SERVICESwith an encoded JSON string containing those credentials. See #462 for the structure of this.Dev Notes
VCAP_SERVICES(see this discussion). I think this may have been too future looking since although many new Cloud Native Buildpacks use K8sServiceBindingspec volume mounts, any shimmed legacy buildpacks or custom buildpacks are likely still looking forVCAP_SERVICES.Resources
Image: https://github.com/cloudfoundry/cf-k8s-controllers/blob/734e60bdffd7b977bff5ee3132fd9314bf7f712a/controllers/controllers/workloads/cfbuild_controller.go#L248The text was updated successfully, but these errors were encountered: