Page MenuHomePhabricator
Create Task
Maniphest T337538

[toolforge] Create envvars management offering
Closed, ResolvedPublic
Actions

Description

Following T335979: Decision request - Toolforge envvars/secrets service and T334578: [toolforge] Create a secrets management offering to avoid storing on NFS, this tasks is to implement the service to allow setting secret envvars on toolforge:

Have an envvar cli (and API) that allows setting environment variables for the app environment, that would be a superset as env vars would be secrets and not secrets (no specific cli for secrets).

The implementation is being done here: https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-api/-/merge_requests/2

It will need three components:

  • An API to manage the envvars
  • A cli to allow users to interact with the api (part of toolforge cli)
  • An admission controller to add the envvars to the pods when creating them, this would be similar to the volume-admission-controller using the app=toolforge selector and adding any secrets in the same namespace with that label to the pod as enviroment vars named ENVVAR_<secret_name>, where secret_name is the name of the k8s secret object.

Docs are here:

Related Objects
Search...

Event Timeline

dcaro created this task.May 26 2023, 8:48 AM
dcaro added a parent task: T335979: Decision request - Toolforge envvars/secrets service.
dcaro mentioned this in T336478: Request creation of gitlabsonarbot VPS project.May 26 2023, 8:54 AM
aborrero added a comment.May 26 2023, 11:51 AM

It will need three components:
[..]

  • An admission controller to add the envvars to the pods when creating them, this would be similar to the volume-admission-controller

May I suggest not creating another custom admission controller and do T335131: [infra,k8s] replace admission controllers with an existing policy admin project instead given we have agreed on moving forward with it anyway.

dcaro added a comment.May 26 2023, 12:37 PM
In T337538#8882700, @aborrero wrote:

It will need three components:
[..]

  • An admission controller to add the envvars to the pods when creating them, this would be similar to the volume-admission-controller

May I suggest not creating another custom admission controller and do T335131: [infra,k8s] replace admission controllers with an existing policy admin project instead given we have agreed on moving forward with it anyway.

You may :)

How long do you think that will take? (a custom admission controller would be fairly easy to implement, given that we already know how to and have templates for it).

Another option is to move the logic to an existing one (volume-admission-controller?) or to move it to the webservice cli (that hopefully might become an API, I think there it would be better suited).

CodeReviewBot added a comment.Jun 1 2023, 5:07 PM

dcaro opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-envvars-cli/-/merge_requests/1

First working version

CodeReviewBot added a project: Patch-For-Review.Jun 1 2023, 5:07 PM
dcaro moved this task from Backlog to Iteration 15 on the Toolforge Build Service board.Jun 2 2023, 7:31 AM
dcaro edited projects, added Toolforge Build Service (Iteration 15); removed Toolforge Build Service.
dcaro moved this task from Next Up to In Progress on the Toolforge Build Service (Iteration 15) board.
dcaro changed the task status from Open to In Progress.Jun 2 2023, 7:34 AM
dcaro merged a task: T293671: [tbs] Find a way to easily and safely share secrets with buildpack services.
CodeReviewBot added a comment.Jun 2 2023, 9:39 AM

dcaro updated https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-admission-controller/-/merge_requests/1

First functional code

dcaro moved this task from In Progress to In Review on the Toolforge Build Service (Iteration 15) board.Jun 2 2023, 11:23 AM
CodeReviewBot added a comment.Jun 6 2023, 8:05 AM

dcaro opened https://gitlab.wikimedia.org/repos/cloud/toolforge/api-gateway/-/merge_requests/7

toolsbeta: enable envvars api

CodeReviewBot added a comment.Jun 13 2023, 8:52 AM

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/api-gateway/-/merge_requests/7

toolsbeta: enable envvars api

KHernandez-WMF moved this task from Iteration 15 to Iteration 16 on the Toolforge Build Service board.Jun 13 2023, 1:40 PM
KHernandez-WMF edited projects, added Toolforge Build Service (Iteration 16); removed Toolforge Build Service (Iteration 15).
KHernandez-WMF moved this task from Next Up to In Review on the Toolforge Build Service (Iteration 16) board.
CodeReviewBot added a comment.Jun 16 2023, 8:39 AM

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-envvars-cli/-/merge_requests/1

First working version

CodeReviewBot added a comment.Jun 20 2023, 8:22 AM

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-admission-controller/-/merge_requests/1

First functional code

Stashbot added a comment.Jun 20 2023, 12:04 PM

Mentioned in SAL (#wikimedia-cloud) [2023-06-20T12:04:42Z] <dcaro> deployed api-gateway with envvars endpoint support (T337538)

Stashbot added a comment.Jun 20 2023, 12:11 PM

Mentioned in SAL (#wikimedia-cloud) [2023-06-20T12:11:18Z] <dcaro> deploy toolforge-envvars-cli (upgrades pthyon3-toolforge-weld) (T337538)

dcaro closed this task as Resolved.Jun 20 2023, 12:13 PM
dcaro moved this task from In Review to Done on the Toolforge Build Service (Iteration 16) board.
dcaro updated the task description. (Show Details)Jun 21 2023, 7:16 AM
dcaro updated the task description. (Show Details)
Novem_Linguae subscribed.Mar 31 2024, 11:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits