Kubernetes use env var based secrets

2021-12-29 20:49:13 +00:00 · 2021-12-29 20:49:13 +00:00 · 06c3e2d4f9
parent f7757c35c1
commit 06c3e2d4f9
5 changed files with 30 additions and 7 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -1782,7 +1782,7 @@ class Kubernetes {
                this.jobName = `unity-builder-job-${buildGuid}`;
                this.containerName = `main`;
                yield kubernetes_secret_1.default.createSecret(secrets, this.secretName, this.namespace, this.kubeClient);
-                const jobSpec = kubernetes_job_spec_factory_1.default.getJobSpec(commands, image, mountdir, workingdir, environment, this.buildGuid, this.buildParameters, this.secretName, this.pvcName, this.jobName, k8s);
+                const jobSpec = kubernetes_job_spec_factory_1.default.getJobSpec(commands, image, mountdir, workingdir, environment, secrets, this.buildGuid, this.buildParameters, this.secretName, this.pvcName, this.jobName, k8s);
                //run
                cloud_runner_logger_1.default.log('Creating build job');
                yield this.kubeClientBatch.createNamespacedJob(this.namespace, jobSpec);
@ -1866,10 +1866,11 @@ exports.default = Kubernetes;
 "use strict";

 Object.defineProperty(exports, "__esModule", ({ value: true }));
+const client_node_1 = __webpack_require__(89679);
 const cloud_runner_build_command_process_1 = __webpack_require__(71899);
 const cloud_runner_state_1 = __webpack_require__(70912);
 class KubernetesJobSpecFactory {
-    static getJobSpec(command, image, mountdir, workingDirectory, environment, buildGuid, buildParameters, secretName, pvcName, jobName, k8s) {
+    static getJobSpec(command, image, mountdir, workingDirectory, environment, secrets, buildGuid, buildParameters, secretName, pvcName, jobName, k8s) {
        environment.push(...[
            {
                name: 'GITHUB_SHA',
@ -1965,7 +1966,15 @@ class KubernetesJobSpecFactory {
                                    cpu: buildParameters.cloudRunnerCpu,
                                },
                            },
-                            env: environment,
+                            env: [
+                                ...environment,
+                                ...secrets.map((x) => {
+                                    const secret = new client_node_1.V1SecretKeySelector();
+                                    secret.key = x.ParameterKey;
+                                    secret.name = secretName;
+                                    return { name: x.EnvironmentVariable, valueFrom: secret };
+                                }),
+                            ],
                            volumeMounts: [
                                {
                                    name: 'build-mount',
@ -2403,7 +2412,8 @@ class CloudRunnerBuildCommandProcessor {
    }
    static GetSecrets(buildParameters) {
        return buildParameters.cloudRunnerCluster === `k8s`
-            ? `for f in /credentials; do cat $f | base64 && echo $f; done`
+            ? `cd /credentials
+      for f in ; do cat $f | base echo $f; done`
            : ``;
    }
 }
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/src/model/cloud-runner/k8s/index.ts
+++ b/src/model/cloud-runner/k8s/index.ts
@ -87,6 +87,7 @@ class Kubernetes implements CloudRunnerProviderInterface {
        mountdir,
        workingdir,
        environment,
+        secrets,
        this.buildGuid,
        this.buildParameters,
        this.secretName,
--- a/src/model/cloud-runner/k8s/kubernetes-job-spec-factory.ts
+++ b/src/model/cloud-runner/k8s/kubernetes-job-spec-factory.ts
@ -1,6 +1,8 @@
+import { V1SecretKeySelector } from '@kubernetes/client-node';
 import BuildParameters from '../../build-parameters';
 import { CloudRunnerBuildCommandProcessor } from '../services/cloud-runner-build-command-process';
 import CloudRunnerEnvironmentVariable from '../services/cloud-runner-environment-variable';
+import CloudRunnerSecret from '../services/cloud-runner-secret';
 import { CloudRunnerState } from '../state/cloud-runner-state';

 class KubernetesJobSpecFactory {
@ -10,6 +12,7 @@ class KubernetesJobSpecFactory {
    mountdir: string,
    workingDirectory: string,
    environment: CloudRunnerEnvironmentVariable[],
+    secrets: CloudRunnerSecret[],
    buildGuid: string,
    buildParameters: BuildParameters,
    secretName,
@ -115,7 +118,15 @@ class KubernetesJobSpecFactory {
                  cpu: buildParameters.cloudRunnerCpu,
                },
              },
-              env: environment,
+              env: [
+                ...environment,
+                ...secrets.map((x) => {
+                  const secret = new V1SecretKeySelector();
+                  secret.key = x.ParameterKey;
+                  secret.name = secretName;
+                  return { name: x.EnvironmentVariable, valueFrom: secret };
+                }),
+              ],
              volumeMounts: [
                {
                  name: 'build-mount',
--- a/src/model/cloud-runner/services/cloud-runner-build-command-process.ts
+++ b/src/model/cloud-runner/services/cloud-runner-build-command-process.ts
@ -11,7 +11,8 @@ export class CloudRunnerBuildCommandProcessor {
  }
  static GetSecrets(buildParameters: BuildParameters) {
    return buildParameters.cloudRunnerCluster === `k8s`
-      ? `for f in /credentials; do cat $f | base64 && echo $f; done`
+      ? `cd /credentials
+      for f in ; do cat $f | base echo $f; done`
      : ``;
  }
 }