Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat: Secret Environment Variables #95

Merged
merged 4 commits into from
Apr 25, 2022

Conversation

rblaine95
Copy link
Collaborator

@rblaine95 rblaine95 commented Apr 18, 2022

Original PR Description:

  • Add optional remoteAuthHeaders value
  • Populating the value creates a Kubernetes Secret
  • envFrom is used to inject secret keys/values as environment
    variables

My take on #94

Updated:
Made the feature more generic and renamed it to secretEnvVars
Allows you to pass sensitive environment variables to the container via a k8s secret.
Use case would be similar to #94 (comment)

# values.yaml
secretEnvVars:
  FOO_TOKEN: supersecrettoken
# verdaccio config.yaml
uplinks:
  private:
    url: https://private-registry.domain.com/registry
    auth:
      type: bearer
      token_env: FOO_TOKEN

@rblaine95
Copy link
Collaborator Author

rblaine95 commented Apr 18, 2022

# helm template verdaccio --set remoteAuthHeaders.foo=bar -s templates/secret.yaml -s templates/deployment.yaml ./charts/verdaccio
---
# Source: verdaccio/templates/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: verdaccio
  labels:
    helm.sh/chart: verdaccio-4.8.0
    app.kubernetes.io/name: verdaccio
    app.kubernetes.io/instance: verdaccio
    app.kubernetes.io/version: "5.5.0"
    app.kubernetes.io/managed-by: Helm
    app: verdaccio
stringData:
  AUTH_FOO: bar
---
# Source: verdaccio/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: verdaccio
  labels:
    helm.sh/chart: verdaccio-4.8.0
    app.kubernetes.io/name: verdaccio
    app.kubernetes.io/instance: verdaccio
    app.kubernetes.io/version: "5.5.0"
    app.kubernetes.io/managed-by: Helm
    app: verdaccio
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: verdaccio
      app.kubernetes.io/instance: verdaccio
[...]
      containers:
        - name: verdaccio
          image: "verdaccio/verdaccio:5.2.0"
          imagePullPolicy: IfNotPresent
          envFrom:
            - secretRef:
                name: verdaccio
          ports:
            - containerPort: 4873
              name: http
[...]

@rblaine95 rblaine95 force-pushed the feat/upstream-auth-headers branch 2 times, most recently from ba1c2e1 to c6ba771 Compare April 18, 2022 12:54
@rblaine95
Copy link
Collaborator Author

I'm keeping this as a WIP/Draft PR as I don't have a k8s cluster at hand to test that the environment variables are successfully injected into the pod.

@juanpicado, does Verdaccio currently look for AUTH_* environment variables for authenticating with private upstreams as described in #94?

@rblaine95 rblaine95 changed the title [WIP] Feat: Private repo auth header via secrets [WIP] Feat: Private repo auth header environment variables via secrets Apr 18, 2022
@juanpicado
Copy link
Member

I'm keeping this as a WIP/Draft PR as I don't have a k8s cluster at hand to test that the environment variables are successfully injected into the pod.

@juanpicado, does Verdaccio currently look for AUTH_* environment variables for authenticating with private upstreams as described in #94?

Nop

@rblaine95
Copy link
Collaborator Author

Tested helm install verdaccio -n test --set remoteAuthHeaders.foo=bar ./charts/verdaccio in a k8s cluster.
Exec'd into the pod (kubectl exec -ti verdaccio-745f85f97d-lf5km -- sh) and verified that the environment variable was successfully injected.

$ env | grep AUTH
AUTH_FOO=bar

@rblaine95
Copy link
Collaborator Author

rblaine95 commented Apr 19, 2022

Seeing as you can specify an env variable for verdaccio to grab a token from (docs), I think I'm going to remove the AUTH_ prepend.

Edit: Maybe change this from remoteAuthHeaders to secretEnvVars or something?

* Add optional `remoteAuthHeaders` value
* Populating the value creates a Kubernetes Secret
* `envFrom` is used to inject secret keys/values as environment
  variables
@rblaine95 rblaine95 changed the title [WIP] Feat: Private repo auth header environment variables via secrets Feat: Secret Environment Variables Apr 21, 2022
* Make it more generic so you can inject sensitive env vars via k8s
  secret
@rblaine95 rblaine95 marked this pull request as ready for review April 21, 2022 16:55
juanpicado
juanpicado previously approved these changes Apr 23, 2022
Copy link
Member

@juanpicado juanpicado left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM great addition @rblaine95

@juanpicado juanpicado requested a review from a team April 23, 2022 04:34
* Add checksum of env secret to annotations
* Change in checksum triggers deployment rollout
@juanpicado
Copy link
Member

I think this worth to be mentioned either

Probably first, according my stats people rarely arrive on this repo.

@juanpicado juanpicado merged commit 9b1c809 into verdaccio:master Apr 25, 2022
@juanpicado
Copy link
Member

I'll merge, thanks @rblaine95 I don't want to delay more this interesting feature

@rblaine95 rblaine95 deleted the feat/upstream-auth-headers branch April 25, 2022 15:55
@rblaine95
Copy link
Collaborator Author

Thank you @juanpicado

Would you like me to take a look at updating the documentation at verdaccio/verdaccio/website/docs/uplinks.md and/or verdaccio/verdaccio/website/docs/kubernetes.md to reference this feature?

@juanpicado
Copy link
Member

Yes please, that would be awesome, I'm now fully focused on rewrite the core 😓 for v6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants