fix(slugbuilder): Dont expose the conifg as env vars during build

Author: kmala

pkg/gitreceive/build.go

@@ -195,11 +195,21 @@ func build(
 		if !slugBuilderInfo.DisableCaching() {
 			cacheKey = slugBuilderInfo.CacheKey()
 		}
+		envSecretName := fmt.Sprintf("%s-build-env", appName)
+		err = createAppEnvConfigSecret(kubeClient.Secrets(conf.PodNamespace), envSecretName, appConf.Values)
+		if err != nil {
+			return fmt.Errorf("error creating/updating secret %s: (%s)", envSecretName, err)
+		}
+		defer func() {
+			if err := kubeClient.Secrets(conf.PodNamespace).Delete(envSecretName); err != nil {
+				log.Info("unable to delete secret %s (%s)", envSecretName, err)
+			}
+		}()
 		pod = slugbuilderPod(
 			conf.Debug,
 			buildPodName,
 			conf.PodNamespace,
-			appConf.Values,
+			envSecretName,
 			slugBuilderInfo.TarKey(),
 			slugBuilderInfo.PushKey(),
 			cacheKey,

pkg/gitreceive/k8s_util.go

@@ -7,6 +7,8 @@ import (
 	"github.com/deis/builder/pkg/k8s"
 	"github.com/pborman/uuid"
 	"k8s.io/kubernetes/pkg/api"
+	apierrors "k8s.io/kubernetes/pkg/api/errors"
+	client "k8s.io/kubernetes/pkg/client/unversioned"
 	"k8s.io/kubernetes/pkg/labels"
 	"k8s.io/kubernetes/pkg/util/wait"
 )
@@ -25,6 +27,7 @@ const (
 	dockerSocketPath = "/var/run/docker.sock"
 	builderStorage   = "BUILDER_STORAGE"
 	objectStorePath  = "/var/run/secrets/deis/objectstore/creds"
+	envRoot          = "/tmp/env"
 )
 
 func dockerBuilderPodName(appName, shortSha string) string {
@@ -92,7 +95,7 @@ func slugbuilderPod(
 	debug bool,
 	name,
 	namespace string,
-	env map[string]interface{},
+	envSecretName string,
 	tarKey,
 	putKey,
 	cacheKey,
@@ -103,7 +106,22 @@ func slugbuilderPod(
 	pullPolicy api.PullPolicy,
 ) *api.Pod {
 
-	pod := buildPod(debug, name, namespace, pullPolicy, env)
+	pod := buildPod(debug, name, namespace, pullPolicy, nil)
+
+	pod.Spec.Volumes = append(pod.Spec.Volumes, api.Volume{
+		Name: envSecretName,
+		VolumeSource: api.VolumeSource{
+			Secret: &api.SecretVolumeSource{
+				SecretName: envSecretName,
+			},
+		},
+	})
+
+	pod.Spec.Containers[0].VolumeMounts = append(pod.Spec.Containers[0].VolumeMounts, api.VolumeMount{
+		Name:      envSecretName,
+		MountPath: envRoot,
+		ReadOnly:  true,
+	})
 
 	pod.Spec.Containers[0].Name = slugBuilderName
 	pod.Spec.Containers[0].Image = image
@@ -267,3 +285,23 @@ func progress(msg string, interval time.Duration) chan bool {
 	}()
 	return quit
 }
+
+func createAppEnvConfigSecret(secretsClient client.SecretsInterface, secretName string, env map[string]interface{}) error {
+	newSecret := new(api.Secret)
+	newSecret.Name = secretName
+	newSecret.Type = api.SecretTypeOpaque
+	newSecret.Data = make(map[string][]byte)
+	for k, v := range env {
+		newSecret.Data[k] = []byte(fmt.Sprintf("%v", v))
+	}
+	if _, err := secretsClient.Create(newSecret); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			if _, err = secretsClient.Update(newSecret); err != nil {
+				return err
+			}
+			return nil
+		}
+		return err
+	}
+	return nil
+}

pkg/gitreceive/k8s_util_test.go

@@ -1,11 +1,15 @@
 package gitreceive
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 	"testing"
 
+	"github.com/arschles/assert"
+	"github.com/deis/builder/pkg/k8s"
 	"k8s.io/kubernetes/pkg/api"
+	apierrors "k8s.io/kubernetes/pkg/api/errors"
 )
 
 func TestDockerBuilderPodName(t *testing.T) {
@@ -26,7 +30,7 @@ type slugBuildCase struct {
 	debug                      bool
 	name                       string
 	namespace                  string
-	env                        map[string]interface{}
+	envSecretName              string
 	tarKey                     string
 	putKey                     string
 	cacheKey                   string
@@ -55,26 +59,26 @@ func TestBuildPod(t *testing.T) {
 
 	env := make(map[string]interface{})
 	env["KEY"] = "VALUE"
-
+	envSecretName := "test-build-env"
 	var pod *api.Pod
 
 	slugBuilds := []slugBuildCase{
-		{true, "test", "default", emptyEnv, "tar", "put-url", "cache-url", "deadbeef", "", "", api.PullAlways, ""},
-		{true, "test", "default", env, "tar", "put-url", "cache-url", "deadbeef", "", "", api.PullAlways, ""},
-		{true, "test", "default", emptyEnv, "tar", "put-url", "", "deadbeef", "", "", api.PullAlways, ""},
-		{true, "test", "default", emptyEnv, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "", api.PullAlways, ""},
-		{true, "test", "default", env, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "", api.PullAlways, ""},
-		{true, "test", "default", env, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "customimage", api.PullAlways, ""},
-		{true, "test", "default", env, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "customimage", api.PullIfNotPresent, ""},
-		{true, "test", "default", env, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "customimage", api.PullNever, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "cache-url", "deadbeef", "", "", api.PullAlways, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "cache-url", "deadbeef", "", "", api.PullAlways, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "", "deadbeef", "", "", api.PullAlways, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "", api.PullAlways, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "", api.PullAlways, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "customimage", api.PullAlways, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "customimage", api.PullIfNotPresent, ""},
+		{true, "test", "default", envSecretName, "tar", "put-url", "cache-url", "deadbeef", "buildpack", "customimage", api.PullNever, ""},
 	}
 
 	for _, build := range slugBuilds {
 		pod = slugbuilderPod(
 			build.debug,
 			build.name,
 			build.namespace,
-			build.env,
+			build.envSecretName,
 			build.tarKey,
 			build.putKey,
 			build.cacheKey,
@@ -193,3 +197,38 @@ func envValueFromKey(pod *api.Pod, key string) (string, error) {
 
 	return "", fmt.Errorf("no key with name %v found in pod env", key)
 }
+
+func TestCreateAppEnvConfigSecretErr(t *testing.T) {
+	expectedErr := errors.New("get secret error")
+	secretsClient := &k8s.FakeSecret{
+		FnCreate: func(*api.Secret) (*api.Secret, error) {
+			return &api.Secret{}, expectedErr
+		},
+	}
+	err := createAppEnvConfigSecret(secretsClient, "test", nil)
+	assert.Err(t, err, expectedErr)
+}
+
+func TestCreateAppEnvConfigSecretSuccess(t *testing.T) {
+	secretsClient := &k8s.FakeSecret{
+		FnCreate: func(*api.Secret) (*api.Secret, error) {
+			return &api.Secret{}, nil
+		},
+	}
+	err := createAppEnvConfigSecret(secretsClient, "test", nil)
+	assert.NoErr(t, err)
+}
+
+func TestCreateAppEnvConfigSecretAlreadyExists(t *testing.T) {
+	alreadyExistErr := apierrors.NewAlreadyExists(api.Resource("tests"), "1")
+	secretsClient := &k8s.FakeSecret{
+		FnCreate: func(*api.Secret) (*api.Secret, error) {
+			return &api.Secret{}, alreadyExistErr
+		},
+		FnUpdate: func(*api.Secret) (*api.Secret, error) {
+			return &api.Secret{}, nil
+		},
+	}
+	err := createAppEnvConfigSecret(secretsClient, "test", nil)
+	assert.NoErr(t, err)
+}

pkg/gitreceive/registry.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"strings"
 
-	"github.com/deis/builder/pkg/k8s"
 	"github.com/deis/builder/pkg/storage"
 	"k8s.io/kubernetes/pkg/api"
 	client "k8s.io/kubernetes/pkg/client/unversioned"
@@ -16,7 +15,7 @@ const (
 	registrySecret = "registry-secret"
 )
 
-func getDetailsFromRegistrySecret(secretGetter k8s.SecretGetter, secret string) (map[string]string, error) {
+func getDetailsFromRegistrySecret(secretGetter client.SecretsInterface, secret string) (map[string]string, error) {
 	regSecret, err := secretGetter.Get(secret)
 	if err != nil {
 		return nil, err
@@ -28,7 +27,7 @@ func getDetailsFromRegistrySecret(secretGetter k8s.SecretGetter, secret string)
 	return regDetails, nil
 }
 
-func getDetailsFromDockerConfigSecret(secretGetter k8s.SecretGetter, secret string) (map[string]string, error) {
+func getDetailsFromDockerConfigSecret(secretGetter client.SecretsInterface, secret string) (map[string]string, error) {
 	configSecret, err := secretGetter.Get(secret)
 	if err != nil {
 		return nil, err

pkg/gitreceive/registry_test.go

@@ -18,8 +18,8 @@ const (
 
 func TestGetDetailsFromRegistrySecretErr(t *testing.T) {
 	expectedErr := errors.New("get secret error")
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &api.Secret{}, expectedErr
 		},
 	}
@@ -31,8 +31,8 @@ func TestGetDetailsFromRegistrySecretSuccess(t *testing.T) {
 	data := map[string][]byte{"test": []byte("test")}
 	expectedData := map[string]string{"test": "test"}
 	secret := api.Secret{Data: data}
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &secret, nil
 		},
 	}
@@ -43,8 +43,8 @@ func TestGetDetailsFromRegistrySecretSuccess(t *testing.T) {
 
 func TestGetDetailsFromDockerConfigSecretErr(t *testing.T) {
 	expectedErr := errors.New("get secret error")
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &api.Secret{}, expectedErr
 		},
 	}
@@ -56,8 +56,8 @@ func TestGetDetailsFromDockerConfigSecretJsonErr(t *testing.T) {
 	expectedErr := errors.New("invalid character 'o' in literal null (expecting 'u')")
 	data := map[string][]byte{api.DockerConfigJsonKey: []byte("not a json")}
 	secret := api.Secret{Data: data}
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &secret, nil
 		},
 	}
@@ -80,8 +80,8 @@ func TestGetDetailsFromDockerConfigSecretTokenerr(t *testing.T) {
 	data := make(map[string][]byte)
 	data[api.DockerConfigJsonKey] = auth
 	secret := api.Secret{Data: data}
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &secret, nil
 		},
 	}
@@ -105,8 +105,8 @@ func TestGetDetailsFromDockerConfigSecretSuccess(t *testing.T) {
 	data := make(map[string][]byte)
 	data[api.DockerConfigJsonKey] = auth
 	secret := api.Secret{Data: data}
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &secret, nil
 		},
 	}
@@ -118,8 +118,8 @@ func TestGetDetailsFromDockerConfigSecretSuccess(t *testing.T) {
 
 func TestGetRegistryDetailsOffclusterErr(t *testing.T) {
 	expectedErr := errors.New("get secret error")
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &api.Secret{}, expectedErr
 		},
 	}
@@ -139,8 +139,8 @@ func TestGetRegistryDetailsOffclusterSuccess(t *testing.T) {
 	expectedData := map[string]string{"DEIS_REGISTRY_HOSTNAME": "quay.io", "DEIS_REGISTRY_ORGANIZATION": "kmala"}
 	expectedImage := "quay.io/kmala/test-image"
 	secret := api.Secret{Data: data}
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &secret, nil
 		},
 	}
@@ -172,8 +172,8 @@ func TestGetRegistryDetailsGCRSuccess(t *testing.T) {
 	configData := make(map[string][]byte)
 	configData[api.DockerConfigJsonKey] = auth
 	configSecret := api.Secret{Data: configData}
-	configGetter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	configGetter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &configSecret, nil
 		},
 	}
@@ -185,8 +185,8 @@ func TestGetRegistryDetailsGCRSuccess(t *testing.T) {
 		`)
 	data := map[string][]byte{"key.json": srvAccount}
 	secret := api.Secret{Data: data}
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &secret, nil
 		},
 	}
@@ -213,14 +213,14 @@ func TestGetRegistryDetailsGCRSuccess(t *testing.T) {
 
 func TestGetRegistryDetailsGCRConfigErr(t *testing.T) {
 	expectedErr := errors.New("get secret error")
-	configGetter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	configGetter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &api.Secret{}, expectedErr
 		},
 	}
 
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &api.Secret{}, nil
 		},
 	}
@@ -256,14 +256,14 @@ func TestGetRegistryDetailsGCRSecretErr(t *testing.T) {
 	configData := make(map[string][]byte)
 	configData[api.DockerConfigJsonKey] = auth
 	configSecret := api.Secret{Data: configData}
-	configGetter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	configGetter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &configSecret, nil
 		},
 	}
 
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &api.Secret{}, expectedErr
 		},
 	}
@@ -299,16 +299,16 @@ func TestGetRegistryDetailsGCRJsonErr(t *testing.T) {
 	configData := make(map[string][]byte)
 	configData[api.DockerConfigJsonKey] = auth
 	configSecret := api.Secret{Data: configData}
-	configGetter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	configGetter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &configSecret, nil
 		},
 	}
 
 	data := map[string][]byte{"key.json": []byte("test")}
 	secret := api.Secret{Data: data}
-	getter := &k8s.FakeSecretGetter{
-		Fn: func(string) (*api.Secret, error) {
+	getter := &k8s.FakeSecret{
+		FnGet: func(string) (*api.Secret, error) {
 			return &secret, nil
 		},
 	}