Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose secret keys in environment variables #18298

Merged
merged 3 commits into from
Jan 20, 2016
Merged

Expose secret keys in environment variables #18298

merged 3 commits into from
Jan 20, 2016

Conversation

pmorie
Copy link
Member

@pmorie pmorie commented Dec 7, 2015

Fixes #4710. @erictune @thockin

cc @resouer
cc @bgrant0607 for API changes

@pmorie pmorie changed the title Secret env Expose secret keys in environment variables Dec 7, 2015
@k8s-github-robot
Copy link

Labelling this PR as size/L

@k8s-github-robot k8s-github-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 7, 2015
@k8s-bot
Copy link

k8s-bot commented Dec 7, 2015

GCE e2e test build/test passed for commit 359c29429d89106f438c0b3ce917c215ec237ecd.

@ixdy ixdy removed their assignment Dec 7, 2015
erictune
erictune reviewed Dec 8, 2015
View reviewed changes
pkg/api/types.go
// Selects a field of the pod; only name and namespace are supported.
FieldRef *ObjectFieldSelector `json:"fieldRef,omitempty"`
// Selects a key of a secret in the pod's namespace
SecretKeyRef *SecretKeySelector `json:"secretKeyRef,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume once we have configData, there will be a 3rd line? Seems fine.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct

@erictune
Copy link
Member

erictune commented Dec 8, 2015

Should there be a validation that only one of the valueFrom options is non-nil?

@erictune
Copy link
Member

erictune commented Dec 8, 2015

Seems like @bgrant0607 agreed with this approach in #4710.

@erictune erictune mentioned this pull request Dec 8, 2015
Closed
@pmorie
Copy link
Member Author

pmorie commented Dec 8, 2015

@erictune everything you pointed out i realized was a shortcoming of this PR after I started building another PR on top of it. I'll update w/ your feedback today.

liggitt
liggitt reviewed Dec 9, 2015
View reviewed changes
pkg/kubelet/kubelet.go
return result, err
}
case envVar.ValueFrom.SecretKeyRef != nil:
runtimeVal, err = kl.secretKeySelectorRuntimeValue(envVar.ValueFrom.SecretKeyRef, pod)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it will probably be likely to use the same secret multiple times in a single pod (multiple keys, or one key in multiple containers)... pass something to secretKeySelectorRuntimeValue to let it avoid looking up the same secret multiple times per pod?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doable, i will incorporate in my next pass through this code

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 9, 2015
@pmorie pmorie mentioned this pull request Dec 11, 2015
Closed
@bgrant0607 bgrant0607 added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jan 8, 2016
bgrant0607
bgrant0607 reviewed Jan 8, 2016
View reviewed changes
pkg/api/types.go
// SecretKeySelector selects a key of a Secret.
type SecretKeySelector struct {
// The name of the secret in the pod's namespace to select from.
SecretRef LocalObjectReference `json:"secretRef"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could consider inlining LocalObjectReference.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which you do in #18974

This was referenced Jan 8, 2016
Merged
Closed
@erictune
Copy link
Member

Are you planning to rework this to be more like #18974 or should I review now?

@pmorie
Copy link
Member Author

pmorie commented Jan 14, 2016

@erictune I'm actually about to begin re-cutting this PR from #18974 momentarily. I'll probably close #18974 out because I don't think I want to do the volume stuff for config and secrets that way anymore.

@pmorie pmorie mentioned this pull request Jan 18, 2016
Closed
1 task
@pmorie
Copy link
Member Author

pmorie commented Jan 18, 2016

@erictune Okay, PR is re-cut and ready for review, PTAL.

@pmorie
Copy link
Member Author

pmorie commented Jan 18, 2016

Actually, @erictune, I realize there is still an unhandled feedback item on this PR from you that I need to do.

@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 18, 2016
@k8s-bot
Copy link

k8s-bot commented Jan 18, 2016

GCE e2e test build/test passed for commit 394a7bb.

@k8s-bot
Copy link

k8s-bot commented Jan 18, 2016

GCE e2e test build/test passed for commit 60cf252.

@erictune
Copy link
Member

lgtm

@erictune
Copy link
Member

@k8s-bot unit test this please

@erictune erictune added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 20, 2016
@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-bot
Copy link

k8s-bot commented Jan 20, 2016

GCE e2e test build/test passed for commit 60cf252.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

k8s-github-robot pushed a commit that referenced this pull request Jan 20, 2016
Merge pull request #18298 from pmorie/secret-env
1c861d4 
Auto commit by PR queue bot
@k8s-github-robot k8s-github-robot merged commit 1c861d4 into kubernetes:master Jan 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@erictune erictune

Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@pmorie @k8s-github-robot @k8s-bot @erictune @liggitt @resouer @bgrant0607 @k8s-teamcity-mesosphere @googlebot @ixdy