Page MenuHomePhabricator
Create Task
Maniphest T261988

Separate secrets from config at rest so main config can be public
Closed, ResolvedPublic
Actions

Description

The current setup of a local config file in the tool's $HOME that includes both the secrets and non-secret config works well for running, but makes sharing the config with the community difficult. It would be nicer to change things so that config is assembled from a combination of public and private configs.

There are many ways this could be done. One that might actually solve some other issues would be to use an init container and a non-persistent volume to merge config at pod startup into a volume and then mount that volume from the main container. The additional issue that could be solved with this is also putting the remotenickformat.tengo script into the volume so that its reads are not hits against NFS.

A lower tech method would just be doing whatever the merge operation is in the tool's $HOME before starting the pod.

Related Objects
Search...

Event Timeline

bd808 created this task.Sep 3 2020, 8:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 3 2020, 8:39 PM
bd808 added a comment.Sep 3 2020, 8:41 PM

If the init container method is used, it might be interesting to use https://kubernetes.io/docs/concepts/configuration/secret/ to store the various passwords and tokens that are needed in the config.

bd808 triaged this task as Low priority.May 23 2021, 9:48 PM
bd808 added a parent task: T261989: Add a webservice to display running config.
bd808 added a comment.Mar 15 2023, 10:52 PM

Apparently envvars can be used to override some settings. This could be combined with the idea of using k8s secrets for storage as well by using https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables.

bd808 closed this task as Resolved.Apr 28 2024, 3:10 AM
bd808 claimed this task.
bd808 moved this task from To Do to Done on the Tool-bridgebot board.

This was done as part of T363028: Replace custom deployment with build service and job service. I also re-learned about T261988#8700389 during that project. :)

Restricted Application added a project: User-bd808. · View Herald TranscriptApr 28 2024, 3:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL