Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow env mapping for secrets #100

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow env mapping for secrets #100

wants to merge 1 commit into from

Conversation

jonnylangefeld
Copy link
Contributor

This was previously not possible.
This is a non breaking way of fixing #99.
Other ways would introduce breaking changes to variable names.

Additional features:

Example:

DAYTONA_SECRET_DESTINATION_CHAOS_DB=/Users/jonny.langefeld/data/repos/daytona/secrets.json \
K8S_AUTH=true \
K8S_AUTH_MOUNT=kubernetes-gcp-paas-dev-us-west1 \
SECRET_ENV=true \
VAULT_AUTH_ROLE=junogen-chaos-demo-0922 \
VAULT_SECRET_CHAOS_DB=secret-paas/project/jonny-1-click/dev/us-central1/crossplane/cruise-spanner-db/jonnys-spanner \
VAULT_VALUE_KEY_CHAOS_DB_SPANNERDATABASE=SPANNER_DATABASE_ID \
VAULT_VALUE_KEY_CHAOS_DB_SPANNERINSTANCE=SPANNER_INSTANCE_ID \
daytona -entrypoint -- printenv | grep SPANNER
{"level":"info","applicationName":"daytona","version":"","time":"2023-04-04T15:10:36-07:00","message":"Starting..."}
{"level":"info","applicationName":"daytona","time":"2023-04-04T15:10:36-07:00","message":"Attempting to automatically infer some k8s configuration data"}
{"level":"info","applicationName":"daytona","time":"2023-04-04T15:10:36-07:00","message":"Checking for an existing, valid vault token"}
{"level":"info","applicationName":"daytona","time":"2023-04-04T15:10:36-07:00","message":"Couldn't use VAULT_TOKEN, attempting file token instead: no pre-existing client token detected"}
{"level":"info","applicationName":"daytona","tokenPath":"/Users/jonny.langefeld/.vault-token","time":"2023-04-04T15:10:37-07:00","message":"Found an existing token at token path, setting as client token"}
{"level":"info","applicationName":"daytona","time":"2023-04-04T15:10:37-07:00","message":"Starting secret fetch"}
{"level":"debug","applicationName":"daytona","time":"2023-04-04T15:10:37-07:00","message":"reading secret path for VAULT_SECRET_CHAOS_DB=secret-paas/project/jonny-1-click/dev/us-central1/crossplane/cruise-spanner-db/jonnys-spanner"}
{"level":"debug","applicationName":"daytona","secret_count":5,"time":"2023-04-04T15:10:37-07:00","message":"finished reading paths for VAULT_SECRET_CHAOS_DB=secret-paas/project/jonny-1-click/dev/us-central1/crossplane/cruise-spanner-db/jonnys-spanner"}
{"level":"info","applicationName":"daytona","var":"JONNYS-SPANNER_SPANNER_PROJECT_ID","time":"2023-04-04T15:10:37-07:00","message":"Set env var"}
{"level":"info","applicationName":"daytona","var":"JONNYS-SPANNER_KEY.JSON","time":"2023-04-04T15:10:37-07:00","message":"Set env var"}
{"level":"info","applicationName":"daytona","var":"JONNYS-SPANNER_METADATA:SECRET.CROSSPLANE.IO/OWNER-UID","time":"2023-04-04T15:10:37-07:00","message":"Set env var"}
{"level":"info","applicationName":"daytona","var":"JONNYS-SPANNER_SPANNER_DATABASE_ID","time":"2023-04-04T15:10:37-07:00","message":"Set env var"}
{"level":"info","applicationName":"daytona","var":"JONNYS-SPANNER_SPANNER_INSTANCE_ID","time":"2023-04-04T15:10:37-07:00","message":"Set env var"}
{"level":"info","applicationName":"daytona","count":5,"outputDestination":"/Users/jonny.langefeld/data/repos/daytona/secrets.json","time":"2023-04-04T15:10:37-07:00","message":"Wrote secret"}
{"level":"info","applicationName":"daytona","args":["printenv"],"time":"2023-04-04T15:10:37-07:00","message":"Will exec"}
VAULT_VALUE_KEY_CHAOS_DB_SPANNERDATABASE=SPANNER_DATABASE_ID
VAULT_VALUE_KEY_CHAOS_DB_SPANNERINSTANCE=SPANNER_INSTANCE_ID
jonnys-spanner_SPANNER_PROJECT_ID=ca-persistent-systems-dev-qh38
jonnys-spanner_SPANNER_DATABASE_ID=jonnys-spanner
jonnys-spanner_SPANNER_INSTANCE_ID=test-persistent-systems-vmtv6-6bb89

@jonnylangefeld jonnylangefeld force-pushed the jlf/allow-to-read-secret-keys-as-env-vars branch from 4bd0456 to 30879e0 Compare April 4, 2023 22:12
@jonnylangefeld
Allow env mapping for secrets
46dfae9 
This was previously not possible.
This is a non breaking way of fixing cruise-automation#99.
Other ways would introduce breaking changes to variable names.

Additional features:
* allow to rename secret keys in env variables (see https://github.com/cruise-automation/daytona/issues/99\#issuecomment-1492390145)
* allow to store selected secret keys as env variables and in a file
@jonnylangefeld jonnylangefeld force-pushed the jlf/allow-to-read-secret-keys-as-env-vars branch from 30879e0 to 46dfae9 Compare April 4, 2023 22:13
jonnylangefeld
jonnylangefeld commented Apr 4, 2023
View reviewed changes
pkg/secrets/secrets.go
@@ -285,7 +303,7 @@ func (sd *SecretDefinition) addSecrets(secretResult *SecretResult) error {
return fmt.Errorf("vault listed a secret %s %s, but failed trying to read it; likely the rate-limiting retry attempts were exceeded", keyName, keyPath)
}

if !sd.plural && sd.outputDestination != "" {
if !sd.plural && sd.outputDestination != "" && len(sd.secretEnvMapping) == 0 {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my initial approach was just to remove sd.outputDestination but that would make many tests fail, which means that the current API would be broken.

Instead I decided to make this non-breaking change, which doesn't fix the bug, but at least allows for setting environment vairables.

@broamski
Copy link
Collaborator

broamski commented Apr 5, 2023

Can we please limit this to the problem described in #99 and attempt to solve vault key re-mapping in a separate PR? We may want to add this capability to an upcoming 2.0.0 release. Thank you!

@jonnylangefeld
Copy link
Contributor Author

Got it! I opened a new PR #101.
Feel free to close this one or keep it open for the 2.0.0 release.
This PR basically addressed only #99 (comment) and not #101 itself. So it looks like @massenz's comment should be filed as new issue.

@jonnylangefeld jonnylangefeld mentioned this pull request Apr 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonnylangefeld @broamski