search

hashicorp / faas-nomad

OpenFaaS plugin for Nomad
https://www.openfaas.com
MIT License
254 stars 46 forks source link

Feature/secrets #48

Closed nicholasjackson closed 5 years ago

nicholasjackson commented 5 years ago

Add the capability to mount secrets inside an application using the Vault v1 secrets API, further work needs to be done in order to interact with both v1 and v2 apis

acornies commented 5 years ago

I pulled this code and tested it with vault v0.9.6 (V1 secrets API) and it's mostly good, but I suggest we change one thing:

-               destPath := "/var/openfaas/secrets/" + key
+               destPath := "secrets/" + key

Since each Nomad alloc mounts /secrets anyway, we might as well use that. What do you think? Otherwise, we need to add a volume mapping to the container as well.

An agnostic function running on Nomad and Swarm might have to check multiple places (like the secrets example documentation).

Or we could also map /var/openfaas/secrets to the secrets alloc dir, using the volumes directive.

acornies commented 5 years ago

Something like this will allow us to use both the built-in secrets alloc dir, mounted to the appropriate place in the function container /var/openfaas/secrets/:

@@ -129,7 +129,8 @@ func createTask(r requests.CreateFunctionRequest) *api.Task {
                        "port_map": []map[string]interface{}{
                                map[string]interface{}{"http": 8080},
                        },
-                       "labels": createLabels(r),
+                       "labels":  createLabels(r),
+                       "volumes": createSecretVolumes(r.Secrets),
                },
                Resources: createResources(r),
                Services: []*api.Service{
@@ -157,6 +158,17 @@ func createAnnotations(r requests.CreateFunctionRequest) map[string]string {
        return annotations
 }

+func createSecretVolumes(secrets []string) []string {
+       newVolumes := []string{}
+       for _, s := range secrets {
+               parts := strings.Split(s, "/")
+               key := parts[len(parts)-1]
+               destPath := "secrets/" + key + ":/var/openfaas/secrets/" + key
+               newVolumes = append(newVolumes, destPath)
+       }
+       return newVolumes
+}
+
 func createLabels(r requests.CreateFunctionRequest) []map[string]interface{} {
        labels := []map[string]interface{}{}
        if r.Labels != nil {
@@ -249,7 +261,7 @@ func createSecrets(secrets []string) []*api.Template {
                parts := strings.Split(s, "/")
                path := strings.Join(parts[:len(parts)-1], "/")
                key := parts[len(parts)-1]
-               destPath := "/var/openfaas/secrets/" + key
+               destPath := "secrets/" + key

                embeddedTemplate := fmt.Sprintf(`{{with secret "%s"}}{{.Data.%s}}{{end}}`, path, key)
                template := &api.Template{
acornies commented 5 years ago

Also, gateway 0.9.3 is working as expected.

acornies commented 5 years ago

I've opened #50 to address some of things I found in testing.