Closed nicholasjackson closed 5 years ago
I pulled this code and tested it with vault v0.9.6 (V1 secrets API) and it's mostly good, but I suggest we change one thing:
- destPath := "/var/openfaas/secrets/" + key
+ destPath := "secrets/" + key
Since each Nomad alloc mounts /secrets
anyway, we might as well use that. What do you think? Otherwise, we need to add a volume mapping to the container as well.
An agnostic function running on Nomad and Swarm might have to check multiple places (like the secrets example documentation).
Or we could also map /var/openfaas/secrets
to the secrets alloc dir, using the volumes directive.
Something like this will allow us to use both the built-in secrets alloc dir, mounted to the appropriate place in the function container /var/openfaas/secrets/
:
@@ -129,7 +129,8 @@ func createTask(r requests.CreateFunctionRequest) *api.Task {
"port_map": []map[string]interface{}{
map[string]interface{}{"http": 8080},
},
- "labels": createLabels(r),
+ "labels": createLabels(r),
+ "volumes": createSecretVolumes(r.Secrets),
},
Resources: createResources(r),
Services: []*api.Service{
@@ -157,6 +158,17 @@ func createAnnotations(r requests.CreateFunctionRequest) map[string]string {
return annotations
}
+func createSecretVolumes(secrets []string) []string {
+ newVolumes := []string{}
+ for _, s := range secrets {
+ parts := strings.Split(s, "/")
+ key := parts[len(parts)-1]
+ destPath := "secrets/" + key + ":/var/openfaas/secrets/" + key
+ newVolumes = append(newVolumes, destPath)
+ }
+ return newVolumes
+}
+
func createLabels(r requests.CreateFunctionRequest) []map[string]interface{} {
labels := []map[string]interface{}{}
if r.Labels != nil {
@@ -249,7 +261,7 @@ func createSecrets(secrets []string) []*api.Template {
parts := strings.Split(s, "/")
path := strings.Join(parts[:len(parts)-1], "/")
key := parts[len(parts)-1]
- destPath := "/var/openfaas/secrets/" + key
+ destPath := "secrets/" + key
embeddedTemplate := fmt.Sprintf(`{{with secret "%s"}}{{.Data.%s}}{{end}}`, path, key)
template := &api.Template{
Also, gateway 0.9.3 is working as expected.
I've opened #50 to address some of things I found in testing.
Add the capability to mount secrets inside an application using the Vault v1 secrets API, further work needs to be done in order to interact with both v1 and v2 apis