Skip to content
Permalink
Browse files

Implementing support for secrets

Add configuration to define secrets for specific services for specific apps. These
secrets will be mounted in the container under `/run/secrets/<name>` so that the
service is able to use e.g. database credentials.
  • Loading branch information...
schrieveslaach committed Apr 30, 2019
1 parent abccc44 commit 4c7e25685219a0f3521be70267d893ab2e1c23f9

Some generated files are not rendered by default. Learn more.

@@ -6,6 +6,7 @@ repository = "https://github.com/aixigo/PREvant/"
edition = "2018"

[dependencies]
base64 = "0.10"
cached = "0.8"
clap = "2.33"
crossbeam = "0.7"
@@ -21,6 +22,7 @@ multimap = "0.4"
serde = "1.0"
serde_derive = "1.0"
serde_json = "1.0"
serde_regex = "0.3"
serde_yaml = "0.7"
tokio = "0.1"
tokio-core = "0.1"
@@ -30,6 +32,7 @@ regex = "1.0"
rocket = "0.4"
rocket_contrib = "0.4"
rocket-cache-response = "0.5"
secstr = "0.3"
url = "1.7"
yansi = "0.5"

@@ -42,7 +45,8 @@ version = "0.12"
features = ["with_rocket"]

[dependencies.shiplift]
version = "0.5"
git = "https://github.com/schrieveslaach/shiplift.git"
rev = "660ac7a2b2e46859d2e27661ddda11151a9000cb"
default-features = false
features = ["unix-socket"]

@@ -1,8 +1,8 @@
The image `aixigo/prevant-api` provides the REST-API in order to deploy Docker containers and to compose them into reviewable application.
The image `aixigo/prevant` provides the REST-API in order to deploy containers and to compose them into reviewable application.

# Configuration

In order to configure the REST-API container create a [TOML](https://github.com/toml-lang/toml) file that is mounted to the docker container's path `/app/config.toml`.
In order to configure PREvant create a [TOML](https://github.com/toml-lang/toml) file that is mounted to the container's path `/app/config.toml`.

## Container Options

@@ -28,6 +28,32 @@ user = ''
password = ''
```

## Services

PREvant provides central configuration options for services deployed through its REST-API. For example, you can define that PREvant mounts a secret for a specific service of an application.

### Secrets

As secrets in [Docker Swarm](https://docs.docker.com/engine/swarm/secrets/) and [Docker-Compose](https://docs.docker.com/compose/compose-file/#secrets) PREvant mounts secrets und `/run/secrets/<secret_name>`. Therefore, you can use following configuration section to define secrets for each service.

Following example provides two secrets for the service `nginx`, mounted at `/run/secrets/cert.pem` and `/run/secrets/key.pem`, available for the application `master`.

```toml
[services.nginx]
[[services.nginx.secrets]]
# The name of the secret mounted in the container.
name = "cert.pem"
# base64 encoded value of the secret
data = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS…FUlRJRklDQVRFLS0tLS0K"
# An optional regular expression that checks if the secret has to be
# mounted for this service. Default is ".+" (any app)
appSelector = "master"
[[services.nginx.secrets]]
name = "key.pem"
data = "LS0tLS1CRUdJTiBFTkNSWVBURUQgUF…JVkFURSBLRVktLS0tLQo="
```

## Companions

It is possible to start containers that will be started when the client requests to create a new service. For example, if the application requires an [OpenID](https://en.wikipedia.org/wiki/OpenID_Connect) provider, it is possible to create a configuration that starts the provider for each application. Another use case might be a Kafka services that is required by the application.
@@ -41,7 +67,6 @@ For these use cases following sections provide example configurations.
If you want to include an OpenID provider for every application, you could use following configuration.

```toml
[[companions]]
[companions.openid]
type = 'application'
image = 'private.example.com/library/opendid:latest'
@@ -94,12 +119,12 @@ PREvant provides some handlebars helpers which can be used to generate more comp
The service-based companions works the in the same way as the application-based services. Make sure, that the `serviceName` is unique by using the handlebars templating.

```toml
[[companions]]
[[companions.services]]
[companions.service-name]
serviceName = '{{service.name}}-db'
image = 'postgres:11'
env = [ 'KEY=VALUE' ]
[companions.services.postgres.volumes]
[companions.service-name.postgres.volumes]
"/path/to/volume.properties" == "…"
[companions.openid.labels]
"com.github.prevant" = "bar-{{application.name}}"
@@ -110,11 +110,6 @@ paths:
type: string
required: true
description: Name of review app to delete
requestBody:
description: ''
required: false
content:
application/json:
responses:
'200':
description: 'List of deleted containers'
@@ -190,7 +185,6 @@ components:
- service-companion
example: instance
version:
type: object
$ref: '#/components/schemas/Version'
url:
type: string
@@ -96,6 +96,7 @@ fn openapi(request_info: RequestInfo) -> Option<String> {
fn main() {
let argument_matches = App::new(crate_name!())
.version(crate_version!())
.author(crate_authors!())
.arg(
Arg::with_name("config")
.short("c")
@@ -69,6 +69,7 @@ pub struct ServiceConfig {
#[serde(deserialize_with = "Image::parse_from_string")]
image: Image,
env: Option<Vec<String>>,
// TODO: rename this field because it does not match to volumes any more (it is file content)
volumes: Option<BTreeMap<String, String>>,
#[serde(skip)]
labels: Option<BTreeMap<String, String>>,
@@ -147,6 +148,16 @@ impl ServiceConfig {
}
}

pub fn add_volume(&mut self, path: String, data: String) {
if let Some(ref mut volumes) = self.volumes {
volumes.insert(path, data);
} else {
let mut volumes = BTreeMap::new();
volumes.insert(path, data);
self.volumes = Some(volumes);
}
}

pub fn set_volumes(&mut self, volumes: Option<BTreeMap<String, String>>) {
self.volumes = volumes;
}

0 comments on commit 4c7e256

Please sign in to comment.
You can’t perform that action at this time.