Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: template lagoon-env secret #397

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: template lagoon-env secret #397

wants to merge 1 commit into from

Conversation

shreddedbacon
Copy link
Member

Description

Secrets 🔒

The lagoon-env configmap generation has been converted into Go templates while also changing to secrets to address #392

Actually deleting variables?!

This also fixes the long running #136 bug by converting the old lagoon-env configmap into two secrets and working out what should and shouldn't exist in each.

  • lagoon-env - will contain only variables that are in the Lagoon API.
    • this is the classic lagoon-env configmap you're all familiar with, except now it is a secret, and now it only contains what is in the Lagoon API with global and runtime scoped variables.
  • lagoon-platform-env - will contain anything that was previously in the configmap, but isn't in the Lagoon API.
    • this secret also serves a second purpose, and is where platform owners could add any platform specific override variables as a way to differentiate them from user added

This allows an environment to retain its current variables without removing any that could result in a change in the operation of the environment. If a user does end up adding a variable that is in the lagoon-platform-env secret, it will be removed from that secret, and added to the main lagoon-env secret. This way, if a user ends up removing that variable from the API, the cleanup process will now delete it so it won't exist in either secret.

The order that the secrets are added to the deployments is that lagoon-platform-env is first, then lagoon-env.

envFrom:
- secretRef:
    name: lagoon-platform-env
- secretRef:
    name: lagoon-env

This means that variables in lagoon-env should always win over any variables in the lagoon-platform-env secret (based on ordering discussions in uselagoon/lagoon#2348), this is why the behaviour of removing from the lagoon-platform-env secret if a matching variable is found in the Lagoon API is done. Lagoon API wins.

Minor changes

  • Consolidate the wait logic for dbaas consumers into one script, the credential collection step happens outside of this now. This is done to be able to pass these values to the build-deploy-tool for processing in Go
  • Finally remove shyaml 🥳

Closing issues

closes #392
closes #136

@shreddedbacon shreddedbacon mentioned this pull request Nov 25, 2024
Closed
@shreddedbacon
Copy link
Member Author

The following controllers leverage the lagoon-env configmap too

  • remote-controller
  • storage-calculator
    They will need to have updates to deal with the transition of the configmap to secret(s)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

lagoon-env configmap can contain sensitive data Deleted variables from API remain in configmap
1 participant
@shreddedbacon