Open nycnewman opened 4 years ago
This would be awesome, and I'd be happy to open a PR to add this capability as well, though I'd need some guidance for the desired implementation approach
This would be very nice to have, I'm currently a bit lost on how to properly implement a secret integration between konlet/cos and my container.
After 4 years, it's amazing that Container Optimised OS is still not able to support load secret from secret manager. Google, please wake up to see what is available by other competitors.
You can use this script to get the secret value. Credits to Gemini, I guess
#!/bin/bash
# Set the project ID
PROJECT_ID="your-project-id"
# Set the secret ID
SECRET_ID="foobarbaz"
# Set the version (optional, defaults to 'latest')
VERSION="latest" # or a specific version number
# Get an access token using the metadata server
ACCESS_TOKEN=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
-H "Metadata-Flavor: Google")
ACCESS_TOKEN=$(echo $ACCESS_TOKEN | jq -r '.access_token')
# Construct the Secret Manager API URL
API_URL="https://secretmanager.googleapis.com/v1/projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION:access"
# Make the API call using CURL
SECRET_VALUE=$(curl -s -H "Authorization: Bearer $ACCESS_TOKEN" $API_URL | jq -r '.payload.data' | base64 -d)
echo "The secret value is: $SECRET_VALUE"
Seems that a minor change to konlet-startup would enable the use of Secrets Manager to inject environment variables directly into container from Secrets Manager. Using existing Auth credentials, one could make a call to Secrets Manager after it calls the Metadata store, get the secrets and map to environment variables. Something along lines of:
We are going to see about creating a Pull Request with this change