Merge pull request #11 from TheRacetrack/10-use-secrets-reference-ins…

…tead-of-adding-env-vars-to-deployment-yaml Use secrets reference instead of adding env vars to deployment yaml
TheRacetrack · Dec 14, 2023 · e2843cc · e2843cc
2 parents 8147e52 + 4658fe7
commit e2843cc
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 10 deletions.
diff --git a/docs/compatibility.md b/docs/compatibility.md
@@ -4,3 +4,4 @@ This document describes compatibility of the versions of this plugin with the Ra
 | Plugin version | Compatible Racetrack version |
 |----------------|------------------------------|
 | 1.3.0          | `> 2.20.0`                   |
+| 1.4.0          | `> 2.23.0`                   |
diff --git a/src/deployer.py b/src/deployer.py
@@ -52,6 +52,7 @@ def deploy_job(
         runtime_env_vars: Dict[str, str],
         family: JobFamilyDto,
         containers_num: int = 1,
+        runtime_secret_vars: Dict[str, str] | None = None,
     ) -> JobDto:
         """Deploy Job on Kubernetes and expose Service accessible by Job name"""
         resource_name = job_resource_name(manifest.name, manifest.version)
@@ -110,6 +111,7 @@ def deploy_job(
             'cpu_min': cpu_min,
             'cpu_max': cpu_max,
             'job_k8s_namespace': K8S_NAMESPACE,
+            'runtime_secret_vars': runtime_secret_vars or {},
         }
 
         container_vars = []  # list of container tuples: (container_name, image_name, container_port)
@@ -184,13 +186,17 @@ def _k8s_api_client() -> client.ApiClient:
         load_incluster_config()
         return client.ApiClient()
 
-    def save_job_secrets(self,
-                            job_name: str,
-                            job_version: str,
-                            job_secrets: JobSecrets,
-                            ):
+    def save_job_secrets(
+        self,
+        job_name: str,
+        job_version: str,
+        job_secrets: JobSecrets,
+    ):
         """Create or update secrets needed to build and deploy a job"""
         resource_name = job_resource_name(job_name, job_version)
+        encoded_runtime_vars = {}
+        for var_name, var_value in job_secrets.secret_runtime_env.items():
+            encoded_runtime_vars[var_name] = _encode_secret_string(var_value)
         render_vars = {
             'resource_name': resource_name,
             'job_name': job_name,
@@ -199,13 +205,15 @@ def save_job_secrets(self,
             'secret_build_env': _encode_secret_key(job_secrets.secret_build_env),
             'secret_runtime_env': _encode_secret_key(job_secrets.secret_runtime_env),
             'job_k8s_namespace': K8S_NAMESPACE,
+            'encoded_runtime_vars': encoded_runtime_vars,
         }
         _apply_templated_resource('secret_template.yaml', render_vars, self.src_dir)
 
-    def get_job_secrets(self,
-                           job_name: str,
-                           job_version: str,
-                           ) -> JobSecrets:
+    def get_job_secrets(
+        self,
+        job_name: str,
+        job_version: str,
+    ) -> JobSecrets:
         """Retrieve secrets for building and deploying a job"""
         k8s_client = self._k8s_api_client()
         core_api = client.CoreV1Api(k8s_client)
@@ -275,6 +283,10 @@ def _decode_secret_key(secret_data: Dict[str, str], key: str) -> Optional[Any]:
     return decoded_obj
 
 
+def _encode_secret_string(text: str) -> str:
+    return b64encode(text.encode()).decode()
+
+
 def get_container_name(resource_name: str, container_index: int) -> str:
     if container_index == 0:
         return resource_name

diff --git a/src/plugin-manifest.yaml b/src/plugin-manifest.yaml
@@ -1,5 +1,5 @@
 name: kubernetes-infrastructure
-version: 1.3.1
+version: 1.4.0
 url: https://github.com/TheRacetrack/plugin-kubernetes-infrastructure
 category: 'infrastructure'
 components:

diff --git a/src/templates/job_template.yaml b/src/templates/job_template.yaml
@@ -58,6 +58,13 @@ spec:
             - name: {{ env_key }}
               value: "{{ env_value }}"
 {% endfor %}
+{% for secret_key in runtime_secret_vars.keys() %}
+            - name: {{ secret_key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ resource_name }}
+                  key: secret_runtime_env.{{ secret_key }}
+{% endfor %}
 {% endfor %}
 
 ---

diff --git a/src/templates/secret_template.yaml b/src/templates/secret_template.yaml
@@ -13,3 +13,6 @@ data:
   git_credentials: "{{ git_credentials }}"
   secret_build_env: "{{ secret_build_env }}"
   secret_runtime_env: "{{ secret_runtime_env }}"
+{% for secret_key, secret_value in encoded_runtime_vars.items() %}
+  secret_runtime_env.{{ secret_key }}: "{{ secret_value }}"
+{% endfor %}