Merge pull request #587 from helgi/env_as_secrets

feat(scheduler): store env vars as secrets in k8s and map them in the RC

Author: helgi

rootfs/api/models/app.py

@@ -535,7 +535,8 @@ def pod_name(size=5, chars=string.ascii_lowercase + string.digits):
             'memory': release.config.memory,
             'cpu': release.config.cpu,
             'tags': release.config.tags,
-            'envs': release.config.values
+            'envs': release.config.values,
+            'version': "v{}".format(release.version),
         }
 
         try:

rootfs/scheduler/__init__.py

@@ -377,9 +377,15 @@ def deploy(self, namespace, name, image, command, **kwargs):
                 new_rc["metadata"]["name"], desired)
             )
 
-            # Remove old release
+            # Remove new release
             self._scale_rc(namespace, new_rc["metadata"]["name"], 0)
             self._delete_rc(namespace, new_rc["metadata"]["name"])
+            # remove secret that contains env vars for the release
+            try:
+                secret_name = "{}-{}-env".format(namespace, kwargs.get('version'))
+                self._delete_secret(namespace, secret_name)
+            except KubeHTTPException:
+                pass
 
             # Bring back old release if available
             if old_rc:
@@ -390,6 +396,12 @@ def deploy(self, namespace, name, image, command, **kwargs):
         # New release is live and kicking. Clean up old release
         if old_rc:
             self._delete_rc(namespace, old_rc["metadata"]["name"])
+            # remove secret that contains env vars for the release
+            secret_name = "{}-{}-env".format(namespace, old_rc['metadata']['labels']['version'])
+            try:
+                self._delete_secret(namespace, secret_name)
+            except KubeHTTPException:
+                pass
 
         # Make sure the application is routable and uses the correct port
         # Done after the fact to let initial deploy settle before routing
@@ -520,7 +532,7 @@ def run(self, namespace, name, image, entrypoint, command, **kwargs):
         containers['command'] = [entrypoint]
         containers['args'] = args
 
-        self._set_environment(containers, **kwargs)
+        self._set_environment(containers, namespace, **kwargs)
 
         url = self._api("/namespaces/{}/pods", namespace)
         response = self.session.post(url, json=template)
@@ -564,7 +576,7 @@ def run(self, namespace, name, image, entrypoint, command, **kwargs):
 
         return 0, data
 
-    def _set_environment(self, data, **kwargs):
+    def _set_environment(self, data, namespace, **kwargs):
         app_type = kwargs.get('app_type')
         mem = kwargs.get('memory', {}).get(app_type)
         cpu = kwargs.get('cpu', {}).get(app_type)
@@ -575,10 +587,30 @@ def _set_environment(self, data, **kwargs):
             data['env'] = []
 
         if env:
-            for key, value in env.items():
+            # env vars are stored in secrets and mapped to env in k8s
+            try:
+                # secrets use dns labels for keys, map those properly here
+                secrets_env = {}
+                for key, value in env.items():
+                    secrets_env[key.lower().replace('_', '-')] = str(value)
+
+                secret_name = "{}-{}-env".format(namespace, kwargs.get('version'))
+                self._get_secret(namespace, secret_name)
+            except KubeHTTPException:
+                self._create_secret(namespace, secret_name, secrets_env)
+            else:
+                self._update_secret(namespace, secret_name, secrets_env)
+
+            for key in env.keys():
                 data["env"].append({
                     "name": key,
-                    "value": str(value)
+                    "valueFrom": {
+                        "secretKeyRef": {
+                            "name": secret_name,
+                            # k8s doesn't allow _ so translate to -, see above
+                            "key": key.lower().replace('_', '-')
+                        }
+                    }
                 })
 
         # Inject debugging if workflow is in debug mode
@@ -906,7 +938,7 @@ def _create_rc(self, namespace, name, image, command, **kwargs):  # noqa
         container = template["spec"]["template"]["spec"]["containers"][0]
         container['args'] = args
 
-        self._set_environment(container, **kwargs)
+        self._set_environment(container, namespace, **kwargs)
 
         # add in healtchecks
         if kwargs.get('healthcheck'):
@@ -1047,7 +1079,26 @@ def _create_secret(self, namespace, name, data):
         url = self._api("/namespaces/{}/secrets", namespace)
         response = self.session.post(url, json=template)
         if unhealthy(response.status_code):
-            error(response, 'failed to create secret "{}" in Namespace "{}"', name, namespace)
+            error(response, 'failed to create Secret "{}" in Namespace "{}"', name, namespace)
+
+        return response
+
+    def _update_secret(self, namespace, name, data):
+        template = json.loads(string.Template(SECRET_TEMPLATE).substitute({
+            "version": self.apiversion,
+            "id": namespace,
+            "name": name
+        }))
+
+        for key, value in data.items():
+            value = value if isinstance(value, bytes) else bytes(value, 'UTF-8')
+            item = base64.b64encode(value).decode()
+            template["data"].update({key: item})
+
+        url = self._api("/namespaces/{}/secrets/{}", namespace, name)
+        response = self.session.put(url, json=template)
+        if unhealthy(response.status_code):
+            error(response, 'failed to update Secret "{}" in Namespace "{}"', name, namespace)
 
         return response