WIP: allow kubernetes Secrets to be injected into the worker's enviro…

…nment (#189) Allow kubernetes Secrets to be injected into the worker's environment (#189)
getgort · Jan 4, 2022 · b4c0667 · b4c0667
1 parent 9044330
commit b4c0667
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 7 deletions.
diff --git a/data/bundle.go b/data/bundle.go
@@ -135,6 +135,7 @@ func (c *BundleCommand) MatchTrigger(ctx context.Context, message string) (bool,
 // BundleKubernetes represents the "bundles/kubernetes" subsection of the config doc
 type BundleKubernetes struct {
 	ServiceAccountName string `yaml:"serviceAccountName,omitempty" json:"serviceAccountName,omitempty"`
+	EnvSecret          string `yaml:"env_secret,omitempty" json:"env_secret,omitempty"`
 }
 
 // CoerceVersionToSemver takes a version number and attempts to coerce it

diff --git a/dataaccess/postgres/bundle-access.go b/dataaccess/postgres/bundle-access.go
@@ -939,14 +939,14 @@ func (da PostgresDataAccess) doBundleGetCommandTemplates(ctx context.Context, tx
 }
 
 func (da PostgresDataAccess) doBundleGetKubernetes(ctx context.Context, tx *sql.Tx, bundleName, bundleVersion string) (data.BundleKubernetes, error) {
-	query := `SELECT service_account_name
+	query := `SELECT service_account_name, env_secret
 		FROM bundle_kubernetes
 		WHERE bundle_name=$1 AND bundle_version=$2`
 
 	var kubernetes data.BundleKubernetes
 
 	err := tx.QueryRowContext(ctx, query, bundleName, bundleVersion).
-		Scan(&kubernetes.ServiceAccountName)
+		Scan(&kubernetes.ServiceAccountName, &kubernetes.EnvSecret)
 
 	switch {
 	case err == sql.ErrNoRows:
@@ -1189,11 +1189,11 @@ func (da PostgresDataAccess) doBundleInsertTemplates(ctx context.Context, tx *sq
 
 func (da PostgresDataAccess) doBundleInsertKubernetes(ctx context.Context, tx *sql.Tx, bundle data.Bundle) error {
 	query := `INSERT INTO bundle_kubernetes
-		(bundle_name, bundle_version, service_account_name)
-		VALUES ($1, $2, $3);`
+		(bundle_name, bundle_version, service_account_name, env_secret)
+		VALUES ($1, $2, $3, $4);`
 
 	_, err := tx.ExecContext(ctx, query, bundle.Name, bundle.Version,
-		bundle.Kubernetes.ServiceAccountName)
+		bundle.Kubernetes.ServiceAccountName, bundle.Kubernetes.EnvSecret)
 
 	if err != nil {
 		if strings.Contains(err.Error(), "violates") {

diff --git a/dataaccess/postgres/postgres-data-access.go b/dataaccess/postgres/postgres-data-access.go
@@ -380,7 +380,8 @@ func (da PostgresDataAccess) createBundleKubernetesTables(ctx context.Context, d
 	createBundlesQuery := `CREATE TABLE bundle_kubernetes (
 		bundle_version 			TEXT NOT NULL,
 		bundle_name				TEXT NOT NULL,
-		service_account_name 	TEXT NOT NULL
+		service_account_name 	TEXT NOT NULL,
+		env_secret            TEXT NOT NULL
 	);
 	`
 
@@ -506,7 +507,7 @@ func (da PostgresDataAccess) createUsersTable(ctx context.Context, db *sql.DB) e
 	var err error
 
 	createUserQuery := `CREATE TABLE users (
-		email         	TEXT UNIQUE NOT NULL,
+		email         	TEXT,
 		full_name     	TEXT,
 		password_hash 	TEXT,
 		username 		TEXT PRIMARY KEY

diff --git a/worker/kubernetes/worker.go b/worker/kubernetes/worker.go
@@ -208,6 +208,19 @@ func (w *KubernetesWorker) buildJobData(ctx context.Context) (*batchv1.Job, erro
 		return nil, err
 	}
 
+	secretEnv := []corev1.EnvFromSource{}
+
+	if w.command.Bundle.Kubernetes.EnvSecret != "" {
+		secretEnv = append(secretEnv, corev1.EnvFromSource{
+			SecretRef: &corev1.SecretEnvSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: w.command.Bundle.Kubernetes.EnvSecret,
+				},
+			},
+		},
+		)
+	}
+
 	job := &batchv1.Job{
 		TypeMeta: metav1.TypeMeta{APIVersion: "batch/v1", Kind: "Job"},
 		ObjectMeta: metav1.ObjectMeta{
@@ -230,6 +243,7 @@ func (w *KubernetesWorker) buildJobData(ctx context.Context) (*batchv1.Job, erro
 							Command: w.entryPoint,
 							Args:    w.commandParameters,
 							Env:     envVars,
+							EnvFrom: secretEnv,
 						},
 					},
 					RestartPolicy: corev1.RestartPolicyNever,