Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for secrets #116

Merged
merged 6 commits into from
Mar 17, 2021
Merged

Add support for secrets #116

merged 6 commits into from
Mar 17, 2021

Conversation

TheLortex
Copy link
Contributor

Secrets are a way to transmit sensitive key-value pairs to workers, without having them displayed in any log files. This PR adds a new secrets option to provide secret values from a client to a worker. They can be consumed by the job spec, either using the docker syntax or the obuilder syntax.

This depends on ocurrent/obuilder#63

@TheLortex TheLortex force-pushed the secrets branch 2 times, most recently from c34aa41 to 2a2333a Compare March 17, 2021 10:34
talex5
talex5 reviewed Mar 17, 2021
View reviewed changes
Copy link
Contributor

@talex5 talex5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just needs a minor update to match the latest OBuilder PR once that's merged.

bin/client.ml Outdated Show resolved Hide resolved
ocurrent-plugin/current_ocluster.mli Outdated Show resolved Hide resolved
@TheLortex
Copy link
Contributor Author

Thank you, this should be good. Rebased the commits renaming key to id to avoid confusion, the client now reads secrets from files like it's done in obuilder and the submodule points to obuilder's main branch.

@talex5 talex5 merged commit 3f11753 into ocurrent:master Mar 17, 2021
@talex5
Copy link
Contributor

talex5 commented Mar 17, 2021

Great! I've deployed it on the cluster now.

tmcgilchrist added a commit to tmcgilchrist/opam-repository that referenced this pull request Nov 9, 2022
@tmcgilchrist
[new release] ocluster, ocluster-api and current_ocluster (0.2)
b8873c9 
CHANGES:

- Update OBuilder to pull in Windows prereqs (@MisterDA ocurrent/ocluster#196, reviewed by @tmcgilchrist)
- Worker pool capacity metric (@mtelvers ocurrent/ocluster#195, reviewed by @talex5)
- Update Ocluster to be macOS capable (@patricoferris ocurrent/ocluster#152, reviewed by @tmcgilchrist)
- Use rsync-hardlink from OBuilder rsync store (@MisterDA ocurrent/ocluster#189, reviewed by @tmcgilchrist)
- Various Dune 3 fixes (@MisterDA ocurrent/ocluster#187, reviewed by @talex5)
- Switch from Debian to Ubuntu for Worker Builds (@mtelvers ocurrent/ocluster#185, reviewed by @dra27)
- Update to Prometheus 1.2 (@mtelvers ocurrent/ocluster#183, reviewed by @MisterDA)
- Default to GitLab merge-requests refspecs (@MisterDA ocurrent/ocluster#180, reviewed by @tmcgilchrist)
- GitLab: allow fetching merge-requests from remote origin (@MisterDA ocurrent/ocluster#175, reviewed by @tmcgilchrist)
- Updated Dockerfile* and .dockerignore (@mtelvers ocurrent/ocluster#178, reviewed by @tmcgilchrist and @MisterDA)
- Upgrade lwt to 5.5.0 (@maiste ocurrent/ocluster#171 ocurrent/ocluster#181, reviewed by @dra27)
- Added --terse option to ocluster-admin-show and added new command ocluster-admin-exec (@mtelvers ocurrent/ocluster#165, reviewed by @tmcgilchrist and @dra27)
- Support custom jobs, adds custom job specifications to the cluster API. (@patricoferris ocurrent/ocluster#156, reviewed by @talex5)
- Continuing the joy of submodule URL changes (@dra27 ocurrent/ocluster#164)
- Update ocaml/opam-repository SHA includes tar-unix.2.0.1 (@mtelvers ocurrent/ocluster#161, reviewed by @dra27)
- Run git submodule update when resetting the git clone (@MisterDA ocurrent/ocluster#163, reviewed by @tmcgilchrist)
- Cmdliner.1.1.0 support (@MisterDA ocurrent/ocluster#160)
- Explicitly set confirmation levels to allow for manually triggered jobs. (@tmcgilchrist ocurrent/ocluster#159, reviewed by @TheLortex)
- Merge Obuilder with rsync store (@MisterDA ocurrent/ocluster#155, reviewed by @talex5)
- Sqlite3 remove usage of "FALSE" for compatibility with older versions (@art-w ocurrent/ocluster#150, reviewed by @talex5)
- Revert adopting GNU tar format (@dra27 ocurrent/ocluster#148)
- Update obuilder to latest (@mtelvers ocurrent/ocluster#147)
- Fix deprecations in Fmt 0.8.10 (@tmcgilchrist ocurrent/ocluster#145)
- Lwt_unix.yield was deprecated in favor of Lwt.pause (@MisterDA ocurrent/ocluster#142, reviewed by @dra27)
- Remove runc build from Dockerfile.worker (@talex5 ocurrent/ocluster#140)
- Add Windows support (@MisterDA ocurrent/ocluster#128, reviewed by @dra27 and @talex5)
- Admin client: fix ref-counting on progress display (@talex5 ocurrent/ocluster#138)
- Add --verbose to README examples (@talex5 ocurrent/ocluster#137)
- Use --connect for the worker capability too (@talex5 ocurrent/ocluster#136)
- Make free-space check work on Windows (@talex5 ocurrent/ocluster#134)
- Support Fmt.cli and Logs.cli (@MisterDA ocurrent/ocluster#133, reviewed by @talex5)
- Windows support prerequisites (@talex5 and @MisterDA ocurrent/ocluster#132)
- Update to capnp-rpc 1.2 and fix connection handling (@talex5 ocurrent/ocluster#131)
- Improve reporting of connection errors (@talex5 ocurrent/ocluster#130)
- Depend on more current_* modules to build examples (@MisterDA ocurrent/ocluster#129, reviewed by @talex5)
- Add ca-certificates to Dockerfile (@talex5 ocurrent/ocluster#127)
- API to wait for a worker to drain, useful for scripts that need to wait for a worker to stop before continuing. (@talex5 ocurrent/ocluster#126)
- Allow pausing/unpausing/forgetting unconnected workers (@talex5 ocurrent/ocluster#125)
- Fix ref-leak when rejecting duplicate workers (@talex5 ocurrent/ocluster#124)
- Improve handling of a worker's active state (@talex5 ocurrent/ocluster#123)
- Report better error on duplicate worker registration (@talex5 ocurrent/ocluster#122)
- Switch pool tests to expect tests (@talex5 ocurrent/ocluster#121)
- Add timestamps to OBuilder logs (@talex5 ocurrent/ocluster#120)
- Fix opam constraint on digestif (@kit-ty-kate ocurrent/ocluster#118, reviewed by @talex5)
- Add support for secrets. Secrets are a way to transmit sensitive key-value pairs to workers, without having them displayed in any log files. (@TheLortex ocurrent/ocluster#116, reviewed by @talex5)
- Add optional label to build_obuilder (@TheLortex ocurrent/ocluster#113, reviewed by @talex5)
@tmcgilchrist tmcgilchrist mentioned this pull request Nov 9, 2022
Closed
@tmcgilchrist tmcgilchrist mentioned this pull request Nov 30, 2022
Merged
dinosaure pushed a commit to tmcgilchrist/opam-repository that referenced this pull request Dec 8, 2022
@tmcgilchrist @dinosaure
[new release] ocluster, ocluster-api and current_ocluster (0.2)
d27404f 
CHANGES:

- Update OBuilder to pull in Windows prereqs (@MisterDA ocurrent/ocluster#196, reviewed by @tmcgilchrist)
- Worker pool capacity metric (@mtelvers ocurrent/ocluster#195, reviewed by @talex5)
- Update Ocluster to be macOS capable (@patricoferris ocurrent/ocluster#152, reviewed by @tmcgilchrist)
- Use rsync-hardlink from OBuilder rsync store (@MisterDA ocurrent/ocluster#189, reviewed by @tmcgilchrist)
- Various Dune 3 fixes (@MisterDA ocurrent/ocluster#187, reviewed by @talex5)
- Switch from Debian to Ubuntu for Worker Builds (@mtelvers ocurrent/ocluster#185, reviewed by @dra27)
- Update to Prometheus 1.2 (@mtelvers ocurrent/ocluster#183, reviewed by @MisterDA)
- Default to GitLab merge-requests refspecs (@MisterDA ocurrent/ocluster#180, reviewed by @tmcgilchrist)
- GitLab: allow fetching merge-requests from remote origin (@MisterDA ocurrent/ocluster#175, reviewed by @tmcgilchrist)
- Updated Dockerfile* and .dockerignore (@mtelvers ocurrent/ocluster#178, reviewed by @tmcgilchrist and @MisterDA)
- Upgrade lwt to 5.5.0 (@maiste ocurrent/ocluster#171 ocurrent/ocluster#181, reviewed by @dra27)
- Added --terse option to ocluster-admin-show and added new command ocluster-admin-exec (@mtelvers ocurrent/ocluster#165, reviewed by @tmcgilchrist and @dra27)
- Support custom jobs, adds custom job specifications to the cluster API. (@patricoferris ocurrent/ocluster#156, reviewed by @talex5)
- Continuing the joy of submodule URL changes (@dra27 ocurrent/ocluster#164)
- Update ocaml/opam-repository SHA includes tar-unix.2.0.1 (@mtelvers ocurrent/ocluster#161, reviewed by @dra27)
- Run git submodule update when resetting the git clone (@MisterDA ocurrent/ocluster#163, reviewed by @tmcgilchrist)
- Cmdliner.1.1.0 support (@MisterDA ocurrent/ocluster#160)
- Explicitly set confirmation levels to allow for manually triggered jobs. (@tmcgilchrist ocurrent/ocluster#159, reviewed by @TheLortex)
- Merge Obuilder with rsync store (@MisterDA ocurrent/ocluster#155, reviewed by @talex5)
- Sqlite3 remove usage of "FALSE" for compatibility with older versions (@art-w ocurrent/ocluster#150, reviewed by @talex5)
- Revert adopting GNU tar format (@dra27 ocurrent/ocluster#148)
- Update obuilder to latest (@mtelvers ocurrent/ocluster#147)
- Fix deprecations in Fmt 0.8.10 (@tmcgilchrist ocurrent/ocluster#145)
- Lwt_unix.yield was deprecated in favor of Lwt.pause (@MisterDA ocurrent/ocluster#142, reviewed by @dra27)
- Remove runc build from Dockerfile.worker (@talex5 ocurrent/ocluster#140)
- Add Windows support (@MisterDA ocurrent/ocluster#128, reviewed by @dra27 and @talex5)
- Admin client: fix ref-counting on progress display (@talex5 ocurrent/ocluster#138)
- Add --verbose to README examples (@talex5 ocurrent/ocluster#137)
- Use --connect for the worker capability too (@talex5 ocurrent/ocluster#136)
- Make free-space check work on Windows (@talex5 ocurrent/ocluster#134)
- Support Fmt.cli and Logs.cli (@MisterDA ocurrent/ocluster#133, reviewed by @talex5)
- Windows support prerequisites (@talex5 and @MisterDA ocurrent/ocluster#132)
- Update to capnp-rpc 1.2 and fix connection handling (@talex5 ocurrent/ocluster#131)
- Improve reporting of connection errors (@talex5 ocurrent/ocluster#130)
- Depend on more current_* modules to build examples (@MisterDA ocurrent/ocluster#129, reviewed by @talex5)
- Add ca-certificates to Dockerfile (@talex5 ocurrent/ocluster#127)
- API to wait for a worker to drain, useful for scripts that need to wait for a worker to stop before continuing. (@talex5 ocurrent/ocluster#126)
- Allow pausing/unpausing/forgetting unconnected workers (@talex5 ocurrent/ocluster#125)
- Fix ref-leak when rejecting duplicate workers (@talex5 ocurrent/ocluster#124)
- Improve handling of a worker's active state (@talex5 ocurrent/ocluster#123)
- Report better error on duplicate worker registration (@talex5 ocurrent/ocluster#122)
- Switch pool tests to expect tests (@talex5 ocurrent/ocluster#121)
- Add timestamps to OBuilder logs (@talex5 ocurrent/ocluster#120)
- Fix opam constraint on digestif (@kit-ty-kate ocurrent/ocluster#118, reviewed by @talex5)
- Add support for secrets. Secrets are a way to transmit sensitive key-value pairs to workers, without having them displayed in any log files. (@TheLortex ocurrent/ocluster#116, reviewed by @talex5)
- Add optional label to build_obuilder (@TheLortex ocurrent/ocluster#113, reviewed by @talex5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@talex5 talex5 talex5 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TheLortex @talex5