Add secrets to runtime configuration by sepetrov · Pull Request #1169 · vmware-archive/kubeless

sepetrov · 2020-09-08T07:14:10Z

Issue Ref: None

Description:

Adds support for using secrets via mounted volumes.

Extends the runtime-images structure in kubeless-config configmap to allow using secrets in the init containers of function deployments, in a similar way as providing environment variables.

Usage:

Manifest for github-token secret.

apiVersion: v1
kind: Secret
metadata:
  name: github-token
type: Opaque
stringData:
  token: foobar

Manifest for kubeless-config configmap

...
data:
  runtime-images: |
    [
        {
            "ID": "go",
            "depName": "go.mod",
            "fileNameSuffix": ".go",
            "versions": [
                {
                    "imagePullSecrets": [{"ImageSecret": "docker-registry"}],
                    "images": [
                        {
                            "command": "docker-entrypoint",
                            "env": {
                                "GITHUB_TOKEN_SECRET_FILE": "/var/run/secrets/kubeless.io/github-token/token",
                                "GOCACHE": "$(KUBELESS_INSTALL_VOLUME)/.cache",
                                "GOPRIVATE": "github.com/acme/*"
                            },
                            "image": "quay.io/acme/kubeless-runtime:go-1.14",
                            "phase": "compilation",
                            "secrets": [{"name": "github-token"}]
                        },
                        {
                            "image": "kubeless/go@sha256:55759228714d7080b3dd858e56530d4e1f539d071906e88d88b454ee3b3c9b16",
                            "phase": "runtime"
                        }
                    ],
                    "name": "go1.14",
                    "version": "1.14"
                }
            ]
        }
    ]
...

The above runtime configuration specified custom image for Go 1.14 runtime with a secret github-token shared with the container as a volume mounted at /var/run/secrets/kubeless.io/{{secret.name}} (/var/run/secrets/kubeless.io/github-token in this example). Now the container can read the GitHub token secret from the filesystem and use it to download private Go packages.

TODOs:

Ready to review
Automated Tests
Docs

andresmgot

Thanks for the feature! I have a couple of minor comments.

andresmgot · 2020-09-09T08:07:21Z

pkg/utils/kubelessutil.go

+			result.InitContainers[i].VolumeMounts = append(result.InitContainers[i].VolumeMounts, v1.VolumeMount{
+				Name:      secret.Name,
+				ReadOnly:  true,
+				MountPath: "/" + secret.Name,


you need to use an unused subpath like "/etc/secrets/" + secret.Name so you avoid issues with people using as secret name var or run

Hi @andresmgot , I agree completely, mounting in the root is not ideal - I went for it as a first iteration + AFAIK serverless-kubeless plugin is using this approach.

I am thinking of the following options:

/var/run/secrets/{{secret.name}}

/var/run/secrets/kubeless.io/{{secret.name}}

/opt/secrets/{{secret.name}}

/opt/secrets/kubeless.io/{{secret.name}}

My choice would be 2. Seems consistent with what I see as mounted volumes with secrets in kubernetes.

What do you think?

Changed mount path to /var/run/secrets/kubeless.io/{{secret.name}}.

andresmgot · 2020-09-09T08:08:31Z

docs/function-controller-configuration.md

  - Init Image: Image used for installing the function and/or dependencies.
  - (Optional) Image Pull Secrets: Secret required to pull the image in case the repository is private.
+  - (Optional) Environment variables.
+  - (Optional) Secrets: Shared with the container as mounted volumes.


I would add here the path in which the secrets are mounted.

andresmgot

Thanks for the changes!

sepetrov force-pushed the add-secrets-to-runtime-images branch 2 times, most recently from 05ec2a6 to 3996a76 Compare September 8, 2020 09:42

sepetrov added 3 commits September 8, 2020 13:27

Add secrets to runtime configuration

9c9aa31

Fix method name

c725929

Revert CS changes

8f25eb8

sepetrov force-pushed the add-secrets-to-runtime-images branch from 3996a76 to 8f25eb8 Compare September 8, 2020 10:27

Add documentation

64cedba

andresmgot reviewed Sep 9, 2020

View reviewed changes

sepetrov added 2 commits September 9, 2020 12:07

Mount volumes at /var/run/secrets/kubeless.io/

d9772a3

Fix typo

40d3016

andresmgot approved these changes Sep 9, 2020

View reviewed changes

andresmgot merged commit 25d6376 into vmware-archive:master Sep 9, 2020

sepetrov deleted the add-secrets-to-runtime-images branch September 9, 2020 10:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add secrets to runtime configuration#1169

Add secrets to runtime configuration#1169
andresmgot merged 6 commits intovmware-archive:masterfrom
sepetrov:add-secrets-to-runtime-images

sepetrov commented Sep 8, 2020 •

edited

Loading

Uh oh!

andresmgot left a comment

Uh oh!

andresmgot Sep 9, 2020

Uh oh!

sepetrov Sep 9, 2020

Uh oh!

sepetrov Sep 9, 2020

Uh oh!

andresmgot Sep 9, 2020

Uh oh!

sepetrov Sep 9, 2020

Uh oh!

andresmgot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

sepetrov commented Sep 8, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

andresmgot left a comment

Choose a reason for hiding this comment

Uh oh!

andresmgot Sep 9, 2020

Choose a reason for hiding this comment

Uh oh!

sepetrov Sep 9, 2020

Choose a reason for hiding this comment

Uh oh!

sepetrov Sep 9, 2020

Choose a reason for hiding this comment

Uh oh!

andresmgot Sep 9, 2020

Choose a reason for hiding this comment

Uh oh!

sepetrov Sep 9, 2020

Choose a reason for hiding this comment

Uh oh!

andresmgot left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

sepetrov commented Sep 8, 2020 •

edited

Loading