Merge pull request #3 from TheRacetrack/2-keep-secret-vars-apart-from…

…-regular-env-vars Keep secret vars apart from regular env vars
TheRacetrack · Dec 14, 2023 · f303e1e · f303e1e
2 parents 55e0059 + 3900879
commit f303e1e
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 1 deletion.
diff --git a/docs/compatibility.md b/docs/compatibility.md
@@ -4,3 +4,4 @@ This document describes compatibility of the versions of this plugin with the Ra
 | Plugin version | Compatible Racetrack version |
 |----------------|------------------------------|
 | 1.0.0          | `> 2.20.0`                   |
+| 1.1.0          | `> 2.23.0`                   |
diff --git a/src/deployer.py b/src/deployer.py
@@ -51,6 +51,7 @@ def deploy_job(
         runtime_env_vars: dict[str, str],
         family: JobFamilyDto,
         containers_num: int = 1,
+        runtime_secret_vars: dict[str, str] | None = None,
     ) -> JobDto:
         """Deploy Job on Kubernetes and expose Service accessible by Job name"""
         resource_name = job_resource_name(manifest.name, manifest.version)
@@ -109,6 +110,7 @@ def deploy_job(
             'cpu_min': cpu_min,
             'cpu_max': cpu_max,
             'job_k8s_namespace': self.k8s_namespace,
+            'runtime_secret_vars': runtime_secret_vars or {},
         }
 
         container_vars = []  # list of container tuples: (container_name, image_name, container_port)
@@ -167,6 +169,9 @@ def save_job_secrets(
     ):
         """Create or update secrets needed to build and deploy a job"""
         resource_name = job_resource_name(job_name, job_version)
+        encoded_runtime_vars = {}
+        for var_name, var_value in job_secrets.secret_runtime_env.items():
+            encoded_runtime_vars[var_name] = _encode_secret_string(var_value)
         render_vars = {
             'resource_name': resource_name,
             'job_name': job_name,
@@ -175,6 +180,7 @@ def save_job_secrets(
             'secret_build_env': _encode_secret_key(job_secrets.secret_build_env),
             'secret_runtime_env': _encode_secret_key(job_secrets.secret_runtime_env),
             'job_k8s_namespace': self.k8s_namespace,
+            'encoded_runtime_vars': encoded_runtime_vars,
         }
         self._apply_templated_resource('secret_template.yaml', render_vars, self.src_dir)
 
@@ -256,6 +262,10 @@ def _decode_secret_key(secret_data: dict[str, str], key: str) -> Any | None:
     return decoded_obj
 
 
+def _encode_secret_string(text: str) -> str:
+    return b64encode(text.encode()).decode()
+
+
 def get_container_name(resource_name: str, container_index: int) -> str:
     if container_index == 0:
         return resource_name

diff --git a/src/plugin-manifest.yaml b/src/plugin-manifest.yaml
@@ -1,5 +1,5 @@
 name: remote-kubernetes
-version: '1.0.1'
+version: '1.1.0'
 url: https://github.com/TheRacetrack/plugin-remote-kubernetes
 category: 'infrastructure'
 components:

diff --git a/src/templates/job_template.yaml b/src/templates/job_template.yaml
@@ -58,6 +58,13 @@ spec:
             - name: {{ env_key }}
               value: "{{ env_value }}"
 {% endfor %}
+{% for secret_key in runtime_secret_vars.keys() %}
+            - name: {{ secret_key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ resource_name }}
+                  key: secret_runtime_env.{{ secret_key }}
+{% endfor %}
 {% endfor %}
 
 ---

diff --git a/src/templates/secret_template.yaml b/src/templates/secret_template.yaml
@@ -13,3 +13,6 @@ data:
   git_credentials: "{{ git_credentials }}"
   secret_build_env: "{{ secret_build_env }}"
   secret_runtime_env: "{{ secret_runtime_env }}"
+{% for secret_key, secret_value in encoded_runtime_vars.items() %}
+  secret_runtime_env.{{ secret_key }}: "{{ secret_value }}"
+{% endfor %}