x/build/cmd/relui: in prod deployment, make twitter secret in secret manager available to relui command #51122
Comments
dmitshur
added
Builders
|
The GCP secrets CSI driver looked perfect but doesn't work in Autopilot clusters, which makes me feel pretty dumb for using one :( We could use an init container, or https://external-secrets.io/, but both feel too heavyweight for me. https://github.com/GoogleCloudPlatform/berglas#library-usage is kinda neat, but I think I prefer something more explicit. So I think we should just take flags that are secret names and resolve them ourselves :-/ |
|
Change https://go.dev/cl/385185 mentions this issue: |
dmitshur
added
NeedsFix
|
Change https://go.dev/cl/386054 mentions this issue: |
To avoid hardcoding secret names everywhere, we want to pass them via
flags instead. As a convenience, introduce a new flag type that resolves
values of the form "secret:[project name/]<secret name>" using Secret
Manager.
This is a bit janky in the name of convenience: we need a SM client
before calling flag.Parse, which I decided should be initialized by the
user rather than implicitly. Typical usage will look like:
var token = secret.Flag("token", "token used to do the thing")
func main() {
if err := secret.InitFlagSupport(context.Background()); err != nil {
log.Fatal(err)
}
flag.Parse()
fmt.Printf("My token is %v\n", *token)
}
Supporting literal values might be unnecessary but I think it might be
helpful for local testing, and we can extend it with a file: prefix to
read from local files too.
For golang/go#51122.
Change-Id: Ie6102453c2242baf2e91b873e62e035f72a82584
Reviewed-on: https://go-review.googlesource.com/c/build/+/385185
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Some of our secrets are in JSON format so that we don't have to deal with too many. Make a little convenience flag function for those. For golang/go#51122. Change-Id: Ie34828443adb9acb16249339a760d28a81ddbd20 Reviewed-on: https://go-review.googlesource.com/c/build/+/386054 Trust: Heschi Kreinick <heschi@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Auto-Submit: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
|
Change https://go.dev/cl/387274 mentions this issue: |
|
As part of resolving this issue, I've granted Secret Manager Secret Accessor role on the twitter API secret to relui's service account. Without that access, it correctly refuses to start up: The tweet workflows are ready and need secret access now, while the other workflows will be added later on. Now that we've done the work to propagate one secret, doing it for more is trivial, and there's no value in doing it preemptively. So I'll scope this issue down to be just about the twitter credentials and update CL 387274 to close it. |
dmitshur
changed the title
The production relui deployment (deployment-prod.yaml in x/build/cmd/relui) runs the
reluicommand, and currently provides some static flags and environment variables (see here and here).For upcoming production workflows, the
reluibinary will need to be also provided secrets from secret manager. Specifically, we want:secret.NameTwitterAPISecretfor the ready workflows involving posting a tweetsecret.NameGobotPasswordfor future workflows involving sending Gerrit CLssecret.NameSendGridAPIKeyfor future workflows involving sending emailBased on sources like https://kubernetes.io/docs/concepts/configuration/secret/ and https://stackoverflow.com/questions/59079318/how-to-mount-multiple-files-secrets-into-common-directory-in-kubernetes, Kubernetes has support for arranging this. It can be implemented as files in a mounted volume (whose location can either be well-known by the relui command, or provided to it via a flag or env var), or via environment variables that relui can access.
This is the tracking issue for making these secrets available to the relui process in the production environment (a part of #47407).
CC @golang/release.
The text was updated successfully, but these errors were encountered: