Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store environment variables in a Secret #86

Merged
merged 2 commits into from
Oct 7, 2024
Merged

Conversation

minrk
Copy link
Contributor

@minrk minrk commented Oct 7, 2024

closes #29

Similar to what we've done in the JupyterHub charts, use a Secret for all user-provided environment variables (this includes both the User and extra_env provided from the kbatch-proxy configuration).

Since the API for specifying environment variables is a Job with EnvVar entries, this is implemented by rewriting the Job during the patch stage, to rewrite every plaintext value: EnvVar entry with a valueFrom: secretKeyRef:, and populating a Secret with those values. It is done last, so there are just no plaintext environment variables in the Job.

The Secret is treated much the same as the existing ConfigMap with ownership references, etc.

Inserting the secret is complicated by the current use of generate_name (I'll put some more notes in #6), which means the names of all of the Secret, Job, and ConfigMap are not quite known when they are needed.

rewrites all EnvVar entries with `value` to value from secretKeyRef
if action != "list":
f = partial(f, job_name)
if action == "delete":
f = partial(f, propagation_policy="Foreground")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found in testing that foreground propagation was required because if the Job was deleted too promptly, the ConfigMap and Secret would not get deleted. This may be a quirk of k3s, though.

@minrk minrk mentioned this pull request Oct 7, 2024
@minrk
Copy link
Contributor Author

minrk commented Oct 7, 2024

@yuvipanda I think with this, I'd say we're ready for an 0.5 prerelease and can start on a chart prerelease with kbatch-dev/helm-chart#7

@minrk minrk requested a review from yuvipanda October 7, 2024 07:26
@yuvipanda
Copy link
Collaborator

If you wanna tackle predictive naming in its own PR, I think this can go as is.

@minrk minrk merged commit e231703 into kbatch-dev:main Oct 7, 2024
6 checks passed
@minrk minrk deleted the secrets branch October 7, 2024 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Use Kubernetes secrets for user-provided environment variables
2 participants