Skip to content

Commit

Permalink
feat: import secrets copyAllFromCiNamespace + copyAllNeeded
Browse files Browse the repository at this point in the history
  • Loading branch information
devthejo committed Sep 17, 2024
1 parent 230a60d commit 2eae1f0
Show file tree
Hide file tree
Showing 2 changed files with 118 additions and 19 deletions.
115 changes: 114 additions & 1 deletion plugins/contrib/pre-deploy/02-import-secrets.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,91 @@
const async = require("async")

function getNeededSecretNames(manifests) {
const secretSet = new Set()

manifests.forEach((manifest) => {
if (
["Deployment", "StatefulSet", "CronJob", "Job", "DaemonSet"].includes(
manifest.kind
)
) {
const { spec } = manifest

// For CronJob, we need to go one level deeper
const targetSpec =
manifest.kind === "CronJob" ? spec.jobTemplate.spec : spec

// Check for secrets in environment variables
const containers = targetSpec.template.spec.containers || []
containers.forEach((container) => {
const envFrom = container.envFrom || []
envFrom.forEach((env) => {
if (env.secretRef && env.secretRef.name) {
secretSet.add(env.secretRef.name)
}
})

const env = container.env || []
env.forEach((envVar) => {
if (envVar.valueFrom && envVar.valueFrom.secretKeyRef) {
secretSet.add(envVar.valueFrom.secretKeyRef.name)
}
})
})

// Check for secrets in volumes
const volumes = targetSpec.template.spec.volumes || []
volumes.forEach((volume) => {
if (volume.secret && volume.secret.secretName) {
secretSet.add(volume.secret.secretName)
}
})
}
})

return Array.from(secretSet)
}

function filterOutExistingSecrets(manifests, secretNames) {
const existingSecrets = new Set()

manifests.forEach((manifest) => {
if (manifest.kind === "Secret") {
if (manifest.metadata && manifest.metadata.name) {
existingSecrets.add(manifest.metadata.name)
}
} else if (manifest.kind === "SealedSecret") {
// SealedSecret uses spec.template.metadata.name
if (
manifest.spec &&
manifest.spec.template &&
manifest.spec.template.metadata &&
manifest.spec.template.metadata.name
) {
existingSecrets.add(manifest.spec.template.metadata.name)
}
}
})

return secretNames.filter((secretName) => !existingSecrets.has(secretName))
}

async function getSecretNamesFromCiNamespace(
ciNamespace,
kubectl,
kubectlOptions
) {
const names = await kubectl(`get -n ${ciNamespace} secret -oname`, {
...kubectlOptions,
logInfo: false,
logError: false,
})
return names
.split("\n")
.map((name) => name.trim().split("/").pop())
.filter((name) => name)
}

module.exports = async (manifests, options, context) => {
const { utils, config, logger, kubectl } = context
const { KontinuousPluginError } = utils
Expand All @@ -18,7 +104,34 @@ module.exports = async (manifests, options, context) => {
surviveOnBrokenCluster,
}

const { secrets } = options
const { copyAllNeeded = false, copyAllFromCiNamespace = false } = options
let { secrets } = options

if (copyAllNeeded) {
const neededSecretNames = getNeededSecretNames(manifests)
const listedSecretNames = filterOutExistingSecrets(
manifests,
neededSecretNames
)

secrets = {
...listedSecretNames.reduce((acc, name) => ({ ...acc, [name]: {} }), {}),
...secrets,
}
}

if (copyAllFromCiNamespace) {
const listedSecretNames = await getSecretNamesFromCiNamespace(
ciNamespace,
kubectl,
kubectlOptions
)

secrets = {
...listedSecretNames.reduce((acc, name) => ({ ...acc, [name]: {} }), {}),
...secrets,
}
}

const importSecretExec = async (secret) => {
const {
Expand Down
22 changes: 4 additions & 18 deletions plugins/fabrique/kontinuous.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -103,25 +103,11 @@ dependencies:

preDeploy:
importSecrets:
enabled: false
enabled: true
options:
secrets:
kubeconfig:
harbor:
buildkit-client-certs:
pg-admin-user:
from:
- azure-pg-admin-user
- pg-scaleway
# secret-name:
# enabled: true
# reload: false
# required: false
# fromNamespace: <$projectName-ci>
# toNamespace: true
# toAllNamespace: false
# to: azure-pg-admin-user
# from: [azure-pg-admin-user]
copyAllNeeded: false
copyAllFromCiNamespace: true
secrets: {}
rancherNamespaces:
enabled: true
cleanFailed:
Expand Down

0 comments on commit 2eae1f0

Please sign in to comment.