Merge pull request #4032 from zendesk/rbayerl/sidecar_support

add SECRET_PULLER_TYPE to migrate to secret-sidecar
zendesk · Nov 8, 2022 · 69a4f94 · 69a4f94
2 parents 61ff31a + 922fc0a
commit 69a4f94
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 13 deletions.
diff --git a/plugins/kubernetes/app/models/kubernetes/template_filler.rb b/plugins/kubernetes/app/models/kubernetes/template_filler.rb
@@ -5,6 +5,7 @@ class TemplateFiller
     attr_reader :template
 
     SECRET_PULLER_IMAGE = ENV['SECRET_PULLER_IMAGE'].presence
+    SECRET_PULLER_TYPE = ENV.fetch('SECRET_PULLER_TYPE', 'samson_secret_puller')
     KUBERNETES_ADD_PRESTOP = Samson::EnvCheck.set?('KUBERNETES_ADD_PRESTOP')
     KUBERNETES_ADD_WELL_KNOWN_LABELS = Samson::EnvCheck.set?('KUBERNETES_ADD_WELL_KNOWN_LABELS')
     SECRET_PREFIX = "secret/"
@@ -309,25 +310,45 @@ def set_secret_puller
         image: SECRET_PULLER_IMAGE,
         imagePullPolicy: 'IfNotPresent',
         name: 'secret-puller',
-        volumeMounts: [
-          {mountPath: "/vault-auth", name: "vaultauth"},
-          {mountPath: "/secretkeys", name: "secretkeys"},
-          secret_vol
-        ],
         securityContext: {
           readOnlyRootFilesystem: true,
           runAsNonRoot: true
         },
-        env: [
-          {name: "VAULT_TLS_VERIFY", value: vault_client.options.fetch(:ssl_verify).to_s},
-          {name: "VAULT_MOUNT", value: Samson::Secrets::VaultClientManager::MOUNT},
-          {name: "VAULT_PREFIX", value: Samson::Secrets::VaultClientManager::PREFIX}
-        ],
         resources: {
           requests: {cpu: "100m", memory: "64Mi"},
-          limits: {cpu: "100m", memory: "64Mi"}
+          limits: {cpu: "100m", memory: "100Mi"}
         }
       }
+
+      # Modifies init container to use internal secret-sidecar instead of
+      # public samson_secret_puller
+      if SECRET_PULLER_TYPE == 'secret-sidecar'
+        container[:command] = '/bin/secret-sidecar-v2'
+
+        container[:volumeMounts] = [
+          {moountPath: "/secrets-meta", name: "secrets-meta"},
+          {mountPath: "/podinfo", name: "secretkeys"},
+          secret_vol
+        ]
+
+        container[:env] = [
+          {name: "VAULT_ADDR", valueFrom: {secretKeyRef: {name: "vaultauth", key: "address"}}},
+          {name: "VAULT_ROLE", value: project.permalink},
+          {name: "VAULT_TOKEN", valueFrom: {secretKeyRef: {name: "vaultauth", key: "authsecret"}}}
+        ]
+      else
+        container[:volumeMounts] = [
+          {mountPath: "/vault-auth", name: "vaultauth"},
+          {mountPath: "/secretkeys", name: "secretkeys"},
+          secret_vol
+        ]
+        container[:env] = [
+          {name: "VAULT_TLS_VERIFY", value: vault_client.options.fetch(:ssl_verify).to_s},
+          {name: "VAULT_MOUNT", value: Samson::Secrets::VaultClientManager::MOUNT},
+          {name: "VAULT_PREFIX", value: Samson::Secrets::VaultClientManager::PREFIX}
+        ]
+      end
+
       init_containers.unshift container
 
       # mark the container as not needing a dockerfile
@@ -344,6 +365,7 @@ def set_secret_puller
       volumes = (pod_template[:spec][:volumes] ||= [])
       volumes.concat [
         {name: secret_vol.fetch(:name), emptyDir: {medium: 'Memory'}},
+        {name: "secrets-meta", emptyDir: {medium: "Memory"}},
         {name: "vaultauth", secret: {secretName: "vaultauth"}},
         {
           name: "secretkeys",

diff --git a/plugins/kubernetes/test/models/kubernetes/template_filler_test.rb b/plugins/kubernetes/test/models/kubernetes/template_filler_test.rb
@@ -669,12 +669,12 @@ def with_init_contnainer_old_syntax(container)
 
       it "adds to existing volume definitions in the puller" do
         raw_template[:spec][:template][:spec][:volumes] = [{}]
-        template.to_hash[:spec][:template][:spec][:volumes].count.must_equal 4
+        template.to_hash[:spec][:template][:spec][:volumes].count.must_equal 5
       end
 
       it "does not duplicate definitions" do
         raw_template[:spec][:template][:spec][:volumes] = [{name: "vaultauth", secret: {secretName: "vaultauth"}}]
-        template.to_hash[:spec][:template][:spec][:volumes].count.must_equal 3
+        template.to_hash[:spec][:template][:spec][:volumes].count.must_equal 4
       end
 
       it "adds to existing volume definitions in the primary container" do
@@ -704,6 +704,17 @@ def with_init_contnainer_old_syntax(container)
         e.message.must_include "baz\n  (tried: production/foo/pod1/baz" # shows all at once for easier debugging
       end
 
+      it "with secret-sidecar" do
+        stub_const Kubernetes::TemplateFiller, :SECRET_PULLER_TYPE, "secret-sidecar" do
+          init_containers.first[:command].must_equal('/bin/secret-sidecar-v2')
+          init_containers.first[:env].must_equal [
+            {name: "VAULT_ADDR", valueFrom: {secretKeyRef: {name: "vaultauth", key: "address"}}},
+            {name: "VAULT_ROLE", value: "foo"},
+            {name: "VAULT_TOKEN", valueFrom: {secretKeyRef: {name: "vaultauth", key: "authsecret"}}}
+          ]
+        end
+      end
+
       describe "converting secrets in env to annotations" do
         def secret_annotations(hash)
           hash[:spec][:template][:metadata][:annotations].select { |k, _| k.match?("secret") }