Skip to content

Commit bed50ef

Browse files
authored
fix: Pass deploy token to run jobs through secret (#289)
* upsert run secret * use env vars instead of args * rename secret * fix typo * go mod tidy * fix typo * fix build issue * add env var prefix * flip condition
1 parent 3833bc1 commit bed50ef

File tree

5 files changed

+93
-12
lines changed

5 files changed

+93
-12
lines changed

cmd/agent/args/args.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -266,6 +266,6 @@ func ResourceCacheEnabled() bool {
266266
func ensureOrDie(argName string, arg *string) {
267267
if arg == nil || len(*arg) == 0 {
268268
pflag.PrintDefaults()
269-
panic(fmt.Sprintf("%s arg is rquired", argName))
269+
panic(fmt.Sprintf("%s arg is required", argName))
270270
}
271271
}

cmd/harness/args/args.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,6 @@ func LogFlushBufferSize() int {
122122
func ensureOrDie(argName string, arg *string) {
123123
if arg == nil || len(*arg) == 0 {
124124
pflag.PrintDefaults()
125-
panic(fmt.Sprintf("%s arg is rquired", argName))
125+
panic(fmt.Sprintf("%s arg is required", argName))
126126
}
127127
}

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ require (
1919
github.com/gobuffalo/flect v1.0.2
2020
github.com/gofrs/flock v0.12.1
2121
github.com/golangci/golangci-lint v1.61.0
22+
github.com/google/gnostic-models v0.6.8
2223
github.com/hashicorp/terraform-json v0.22.1
2324
github.com/mitchellh/mapstructure v1.5.0
2425
github.com/onsi/ginkgo/v2 v2.20.2
@@ -40,7 +41,6 @@ require (
4041
github.com/vektra/mockery/v2 v2.45.1
4142
github.com/vmware-tanzu/velero v1.14.1
4243
github.com/yuin/gopher-lua v1.1.1
43-
go.uber.org/zap v1.27.0
4444
golang.org/x/exp v0.0.0-20240909161429-701f63a606c0
4545
gopkg.in/yaml.v3 v3.0.1
4646
helm.sh/helm/v3 v3.16.1
@@ -193,7 +193,6 @@ require (
193193
github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
194194
github.com/google/btree v1.1.2 // indirect
195195
github.com/google/cel-go v0.20.1 // indirect
196-
github.com/google/gnostic-models v0.6.8 // indirect
197196
github.com/google/go-cmp v0.6.0 // indirect
198197
github.com/google/gofuzz v1.2.0 // indirect
199198
github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
@@ -352,6 +351,7 @@ require (
352351
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
353352
go.uber.org/automaxprocs v1.5.3 // indirect
354353
go.uber.org/multierr v1.11.0 // indirect
354+
go.uber.org/zap v1.27.0 // indirect
355355
golang.org/x/arch v0.8.0 // indirect
356356
golang.org/x/crypto v0.27.0 // indirect
357357
golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect

pkg/controller/stacks/job.go

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ import (
77
"strings"
88

99
console "github.com/pluralsh/console/go/client"
10+
"github.com/pluralsh/deployment-operator/internal/metrics"
11+
consoleclient "github.com/pluralsh/deployment-operator/pkg/client"
1012
"github.com/pluralsh/polly/algorithms"
1113
"github.com/samber/lo"
1214
batchv1 "k8s.io/api/batch/v1"
@@ -15,9 +17,6 @@ import (
1517
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1618
"k8s.io/apimachinery/pkg/types"
1719
"sigs.k8s.io/controller-runtime/pkg/log"
18-
19-
"github.com/pluralsh/deployment-operator/internal/metrics"
20-
consoleclient "github.com/pluralsh/deployment-operator/pkg/client"
2120
)
2221

2322
const (
@@ -85,6 +84,10 @@ func (r *StackReconciler) reconcileRunJob(ctx context.Context, run *console.Stac
8584
return nil, err
8685
}
8786

87+
if _, err = r.upsertRunSecret(ctx); err != nil {
88+
return nil, err
89+
}
90+
8891
logger.V(2).Info("generating job", "namespace", r.namespace, "name", jobName)
8992
job := r.GenerateRunJob(run, jobName)
9093

@@ -208,6 +211,8 @@ func (r *StackReconciler) ensureDefaultContainer(containers []corev1.Container,
208211

209212
containers[index].Args = r.getDefaultContainerArgs(run.ID)
210213

214+
containers[index].EnvFrom = r.getDefaultContainerEnvFrom()
215+
211216
containers[index].VolumeMounts = ensureDefaultVolumeMounts(containers[index].VolumeMounts)
212217
}
213218
return containers
@@ -224,6 +229,7 @@ func (r *StackReconciler) getDefaultContainer(run *console.StackRunFragment) cor
224229
},
225230
SecurityContext: ensureDefaultContainerSecurityContext(nil),
226231
Env: make([]corev1.EnvVar, 0),
232+
EnvFrom: r.getDefaultContainerEnvFrom(),
227233
}
228234
}
229235

@@ -293,14 +299,22 @@ func (r *StackReconciler) getTag(run *console.StackRunFragment) string {
293299
return defaultImageTag
294300
}
295301

296-
func (r *StackReconciler) getDefaultContainerArgs(runID string) []string {
297-
return []string{
298-
fmt.Sprintf("--console-url=%s", r.consoleURL),
299-
fmt.Sprintf("--console-token=%s", r.deployToken),
300-
fmt.Sprintf("--stack-run-id=%s", runID),
302+
func (r *StackReconciler) getDefaultContainerEnvFrom() []corev1.EnvFromSource {
303+
return []corev1.EnvFromSource{
304+
{
305+
SecretRef: &corev1.SecretEnvSource{
306+
LocalObjectReference: corev1.LocalObjectReference{
307+
Name: jobRunSecretName,
308+
},
309+
},
310+
},
301311
}
302312
}
303313

314+
func (r *StackReconciler) getDefaultContainerArgs(runID string) []string {
315+
return []string{fmt.Sprintf("--stack-run-id=%s", runID)}
316+
}
317+
304318
func ensureDefaultVolumeMounts(mounts []corev1.VolumeMount) []corev1.VolumeMount {
305319
return append(
306320
algorithms.Filter(mounts, func(v corev1.VolumeMount) bool {

pkg/controller/stacks/secret.go

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
package stacks
2+
3+
import (
4+
"context"
5+
6+
corev1 "k8s.io/api/core/v1"
7+
apierrs "k8s.io/apimachinery/pkg/api/errors"
8+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
9+
"k8s.io/apimachinery/pkg/types"
10+
"sigs.k8s.io/controller-runtime/pkg/log"
11+
)
12+
13+
const (
14+
jobRunSecretName = "job-run-env"
15+
envConsoleUrl = "PLRL_CONSOLE_URL"
16+
envConsoleToken = "PLRL_CONSOLE_TOKEN"
17+
)
18+
19+
func (r *StackReconciler) getRunSecretData() map[string]string {
20+
return map[string]string{
21+
envConsoleUrl: r.consoleURL,
22+
envConsoleToken: r.deployToken,
23+
}
24+
}
25+
26+
func (r *StackReconciler) hasRunSecretData(data map[string][]byte) bool {
27+
token, hasToken := data[envConsoleToken]
28+
url, hasUrl := data[envConsoleUrl]
29+
return hasToken && hasUrl && string(token) == r.deployToken && string(url) == r.consoleURL
30+
}
31+
32+
func (r *StackReconciler) upsertRunSecret(ctx context.Context) (*corev1.Secret, error) {
33+
logger := log.FromContext(ctx)
34+
secret := &corev1.Secret{}
35+
36+
if err := r.k8sClient.Get(ctx, types.NamespacedName{Name: jobRunSecretName, Namespace: r.namespace}, secret); err != nil {
37+
if !apierrs.IsNotFound(err) {
38+
return nil, err
39+
}
40+
41+
logger.V(2).Info("generating secret", "namespace", r.namespace, "name", jobRunSecretName)
42+
secret = &corev1.Secret{
43+
ObjectMeta: metav1.ObjectMeta{Name: jobRunSecretName, Namespace: r.namespace},
44+
StringData: r.getRunSecretData(),
45+
}
46+
47+
logger.V(2).Info("creating secret", "namespace", secret.Namespace, "name", secret.Name)
48+
if err := r.k8sClient.Create(ctx, secret); err != nil {
49+
logger.Error(err, "unable to create secret")
50+
return nil, err
51+
}
52+
53+
return secret, nil
54+
}
55+
56+
if !r.hasRunSecretData(secret.Data) {
57+
logger.V(2).Info("updating secret", "namespace", secret.Namespace, "name", secret.Name)
58+
secret.StringData = r.getRunSecretData()
59+
if err := r.k8sClient.Update(ctx, secret); err != nil {
60+
logger.Error(err, "unable to update secret")
61+
return nil, err
62+
}
63+
}
64+
65+
return secret, nil
66+
67+
}

0 commit comments

Comments
 (0)