Store environment variables in a Secret#86
Merged
minrk merged 2 commits intokbatch-dev:mainfrom Oct 7, 2024
Merged
Conversation
rewrites all EnvVar entries with `value` to value from secretKeyRef
minrk
commented
Oct 7, 2024
| if action != "list": | ||
| f = partial(f, job_name) | ||
| if action == "delete": | ||
| f = partial(f, propagation_policy="Foreground") |
Contributor
Author
There was a problem hiding this comment.
I found in testing that foreground propagation was required because if the Job was deleted too promptly, the ConfigMap and Secret would not get deleted. This may be a quirk of k3s, though.
Contributor
Author
|
@yuvipanda I think with this, I'd say we're ready for an 0.5 prerelease and can start on a chart prerelease with kbatch-dev/helm-chart#7 |
Collaborator
|
If you wanna tackle predictive naming in its own PR, I think this can go as is. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #29
Similar to what we've done in the JupyterHub charts, use a Secret for all user-provided environment variables (this includes both the User and
extra_envprovided from the kbatch-proxy configuration).Since the API for specifying environment variables is a Job with EnvVar entries, this is implemented by rewriting the Job during the patch stage, to rewrite every plaintext
value:EnvVar entry with avalueFrom: secretKeyRef:, and populating a Secret with those values. It is done last, so there are just no plaintext environment variables in the Job.The Secret is treated much the same as the existing ConfigMap with ownership references, etc.
Inserting the secret is complicated by the current use of
generate_name(I'll put some more notes in #6), which means the names of all of the Secret, Job, and ConfigMap are not quite known when they are needed.