Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add secret and configmap mounting #47

Merged
merged 7 commits into from
Jul 24, 2020
Merged

feat: add secret and configmap mounting #47

merged 7 commits into from
Jul 24, 2020

Conversation

linuxbandit
Copy link

It used to be impossible until now:

https://cloud.google.com/sdk/gcloud/reference/run/deploy#--set-secrets

To use it I report the docs:

Specify secrets to mount or provide as environment variables. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables. The values associated with each of these should be in the form SECRET_NAME:KEY_IN_SECRET; you may omit the key within the secret to specify a mount of all keys within the secret. For example: '--update-secrets=/my/path=mysecret,ENV=othersecret:key.json' will create a volume with secret 'mysecret' and mount that volume at '/my/path'. Because no secret key was specified, all keys in 'mysecret' will be included. An environment variable named ENV will also be created whose value is the value of 'key.json' in 'othersecret'

Therefore the proposed solution is to write something on the pipeline like:

# file .gitlab-ci.yml
import: ...
stages: ...
variables:
  ...
  SECRET_MOUNTS: "/secrets=my-app-serviceaccounts"
  ...

where we can express both the mount folder (/secrets) and the name of the secret to mount. In this example, as per docs, all keys in the serviceaccount are mounted, so we can have a secret made of

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: my-app-serviceaccounts
  namespace: my-serverless-ns
data:
  bucket-sa.json: <b64>
  pubsub-sa.json: <b64>

and it's up to the app to take the right file

@linuxbandit linuxbandit requested a review from gadiener July 21, 2020 14:37
@gadiener
Copy link

You should add separated variables for quality and production in the root files

gadiener
gadiener reviewed Jul 22, 2020
View reviewed changes
templates/cloudrun.yml Outdated
echo "-> ... also deploying kubernetes configmaps"
echo

kubectl apply -f kube/configmap.yaml --namespace=${NAMESPACE}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we must add a variable for the configmap path, kube/configmap.yaml could be the default value

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you think this is solved this way?

@linuxbandit linuxbandit requested a review from gadiener July 24, 2020 07:45
@gadiener gadiener merged commit 64f2d88 into jobtome-labs:master Jul 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gadiener gadiener Awaiting requested review from gadiener

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@linuxbandit @gadiener