fix: Pass deploy token to run jobs through secret (#289)

maciaszczykm · web-flow · commit bed50ef454e9 · 2024-10-01T11:06:30.000+02:00
* upsert run secret

* use env vars instead of args

* rename secret

* fix typo

* go mod tidy

* fix typo

* fix build issue

* add env var prefix

* flip condition
diff --git a/cmd/agent/args/args.go b/cmd/agent/args/args.go
@@ -266,6 +266,6 @@ func ResourceCacheEnabled() bool {
 func ensureOrDie(argName string, arg *string) {
 	if arg == nil || len(*arg) == 0 {
 		pflag.PrintDefaults()
-		panic(fmt.Sprintf("%s arg is rquired", argName))
+		panic(fmt.Sprintf("%s arg is required", argName))
 	}
 }
diff --git a/cmd/harness/args/args.go b/cmd/harness/args/args.go
@@ -122,6 +122,6 @@ func LogFlushBufferSize() int {
 func ensureOrDie(argName string, arg *string) {
 	if arg == nil || len(*arg) == 0 {
 		pflag.PrintDefaults()
-		panic(fmt.Sprintf("%s arg is rquired", argName))
+		panic(fmt.Sprintf("%s arg is required", argName))
 	}
 }
diff --git a/go.mod b/go.mod
@@ -19,6 +19,7 @@ require (
 	github.com/gobuffalo/flect v1.0.2
 	github.com/gofrs/flock v0.12.1
 	github.com/golangci/golangci-lint v1.61.0
+	github.com/google/gnostic-models v0.6.8
 	github.com/hashicorp/terraform-json v0.22.1
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/onsi/ginkgo/v2 v2.20.2
@@ -40,7 +41,6 @@ require (
 	github.com/vektra/mockery/v2 v2.45.1
 	github.com/vmware-tanzu/velero v1.14.1
 	github.com/yuin/gopher-lua v1.1.1
-	go.uber.org/zap v1.27.0
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.16.1
@@ -193,7 +193,6 @@ require (
 	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/cel-go v0.20.1 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
@@ -352,6 +351,7 @@ require (
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/automaxprocs v1.5.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/crypto v0.27.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
diff --git a/pkg/controller/stacks/job.go b/pkg/controller/stacks/job.go
@@ -7,6 +7,8 @@ import (
 	"strings"
 
 	console "github.com/pluralsh/console/go/client"
+	"github.com/pluralsh/deployment-operator/internal/metrics"
+	consoleclient "github.com/pluralsh/deployment-operator/pkg/client"
 	"github.com/pluralsh/polly/algorithms"
 	"github.com/samber/lo"
 	batchv1 "k8s.io/api/batch/v1"
@@ -15,9 +17,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/log"
-
-	"github.com/pluralsh/deployment-operator/internal/metrics"
-	consoleclient "github.com/pluralsh/deployment-operator/pkg/client"
 )
 
 const (
@@ -85,6 +84,10 @@ func (r *StackReconciler) reconcileRunJob(ctx context.Context, run *console.Stac
 			return nil, err
 		}
 
+		if _, err = r.upsertRunSecret(ctx); err != nil {
+			return nil, err
+		}
+
 		logger.V(2).Info("generating job", "namespace", r.namespace, "name", jobName)
 		job := r.GenerateRunJob(run, jobName)
 
@@ -208,6 +211,8 @@ func (r *StackReconciler) ensureDefaultContainer(containers []corev1.Container,
 
 		containers[index].Args = r.getDefaultContainerArgs(run.ID)
 
+		containers[index].EnvFrom = r.getDefaultContainerEnvFrom()
+
 		containers[index].VolumeMounts = ensureDefaultVolumeMounts(containers[index].VolumeMounts)
 	}
 	return containers
@@ -224,6 +229,7 @@ func (r *StackReconciler) getDefaultContainer(run *console.StackRunFragment) cor
 		},
 		SecurityContext: ensureDefaultContainerSecurityContext(nil),
 		Env:             make([]corev1.EnvVar, 0),
+		EnvFrom:         r.getDefaultContainerEnvFrom(),
 	}
 }
 
@@ -293,14 +299,22 @@ func (r *StackReconciler) getTag(run *console.StackRunFragment) string {
 	return defaultImageTag
 }
 
-func (r *StackReconciler) getDefaultContainerArgs(runID string) []string {
-	return []string{
-		fmt.Sprintf("--console-url=%s", r.consoleURL),
-		fmt.Sprintf("--console-token=%s", r.deployToken),
-		fmt.Sprintf("--stack-run-id=%s", runID),
+func (r *StackReconciler) getDefaultContainerEnvFrom() []corev1.EnvFromSource {
+	return []corev1.EnvFromSource{
+		{
+			SecretRef: &corev1.SecretEnvSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: jobRunSecretName,
+				},
+			},
+		},
 	}
 }
 
+func (r *StackReconciler) getDefaultContainerArgs(runID string) []string {
+	return []string{fmt.Sprintf("--stack-run-id=%s", runID)}
+}
+
 func ensureDefaultVolumeMounts(mounts []corev1.VolumeMount) []corev1.VolumeMount {
 	return append(
 		algorithms.Filter(mounts, func(v corev1.VolumeMount) bool {
diff --git a/pkg/controller/stacks/secret.go b/pkg/controller/stacks/secret.go
@@ -0,0 +1,67 @@
+package stacks
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+const (
+	jobRunSecretName = "job-run-env"
+	envConsoleUrl    = "PLRL_CONSOLE_URL"
+	envConsoleToken  = "PLRL_CONSOLE_TOKEN"
+)
+
+func (r *StackReconciler) getRunSecretData() map[string]string {
+	return map[string]string{
+		envConsoleUrl:   r.consoleURL,
+		envConsoleToken: r.deployToken,
+	}
+}
+
+func (r *StackReconciler) hasRunSecretData(data map[string][]byte) bool {
+	token, hasToken := data[envConsoleToken]
+	url, hasUrl := data[envConsoleUrl]
+	return hasToken && hasUrl && string(token) == r.deployToken && string(url) == r.consoleURL
+}
+
+func (r *StackReconciler) upsertRunSecret(ctx context.Context) (*corev1.Secret, error) {
+	logger := log.FromContext(ctx)
+	secret := &corev1.Secret{}
+
+	if err := r.k8sClient.Get(ctx, types.NamespacedName{Name: jobRunSecretName, Namespace: r.namespace}, secret); err != nil {
+		if !apierrs.IsNotFound(err) {
+			return nil, err
+		}
+
+		logger.V(2).Info("generating secret", "namespace", r.namespace, "name", jobRunSecretName)
+		secret = &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Name: jobRunSecretName, Namespace: r.namespace},
+			StringData: r.getRunSecretData(),
+		}
+
+		logger.V(2).Info("creating secret", "namespace", secret.Namespace, "name", secret.Name)
+		if err := r.k8sClient.Create(ctx, secret); err != nil {
+			logger.Error(err, "unable to create secret")
+			return nil, err
+		}
+
+		return secret, nil
+	}
+
+	if !r.hasRunSecretData(secret.Data) {
+		logger.V(2).Info("updating secret", "namespace", secret.Namespace, "name", secret.Name)
+		secret.StringData = r.getRunSecretData()
+		if err := r.k8sClient.Update(ctx, secret); err != nil {
+			logger.Error(err, "unable to update secret")
+			return nil, err
+		}
+	}
+
+	return secret, nil
+
+}

Original file line number	Diff line number	Diff line change
`@@ -266,6 +266,6 @@ func ResourceCacheEnabled() bool {`
`266`	`266`	`func ensureOrDie(argName string, arg *string) {`
`267`	`267`	`if arg == nil \|\| len(*arg) == 0 {`
`268`	`268`	`pflag.PrintDefaults()`
`269`		`- panic(fmt.Sprintf("%s arg is rquired", argName))`
	`269`	`+ panic(fmt.Sprintf("%s arg is required", argName))`
`270`	`270`	`}`
`271`	`271`	`}`
Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,6 @@ func LogFlushBufferSize() int {`
`122`	`122`	`func ensureOrDie(argName string, arg *string) {`
`123`	`123`	`if arg == nil \|\| len(*arg) == 0 {`
`124`	`124`	`pflag.PrintDefaults()`
`125`		`- panic(fmt.Sprintf("%s arg is rquired", argName))`
	`125`	`+ panic(fmt.Sprintf("%s arg is required", argName))`
`126`	`126`	`}`
`127`	`127`	`}`