Page MenuHomePhabricator

[toolforge] Create envvars management offering
Closed, ResolvedPublic

Description

Following T335979: Decision request - Toolforge envvars/secrets service and T334578: [toolforge] Create a secrets management offering to avoid storing on NFS, this tasks is to implement the service to allow setting secret envvars on toolforge:

Have an envvar cli (and API) that allows setting environment variables for the app environment, that would be a superset as env vars would be secrets and not secrets (no specific cli for secrets).

The implementation is being done here: https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-api/-/merge_requests/2

It will need three components:

  • An API to manage the envvars
  • A cli to allow users to interact with the api (part of toolforge cli)
  • An admission controller to add the envvars to the pods when creating them, this would be similar to the volume-admission-controller using the app=toolforge selector and adding any secrets in the same namespace with that label to the pod as enviroment vars named ENVVAR_<secret_name>, where secret_name is the name of the k8s secret object.

Docs are here:

Related Objects

Event Timeline

It will need three components:
[..]

  • An admission controller to add the envvars to the pods when creating them, this would be similar to the volume-admission-controller

May I suggest not creating another custom admission controller and do T335131: Toolforge: replace admission controllers with an existing policy admin project instead given we have agreed on moving forward with it anyway.

It will need three components:
[..]

  • An admission controller to add the envvars to the pods when creating them, this would be similar to the volume-admission-controller

May I suggest not creating another custom admission controller and do T335131: Toolforge: replace admission controllers with an existing policy admin project instead given we have agreed on moving forward with it anyway.

You may :)

How long do you think that will take? (a custom admission controller would be fairly easy to implement, given that we already know how to and have templates for it).

Another option is to move the logic to an existing one (volume-admission-controller?) or to move it to the webservice cli (that hopefully might become an API, I think there it would be better suited).

Mentioned in SAL (#wikimedia-cloud) [2023-06-20T12:04:42Z] <dcaro> deployed api-gateway with envvars endpoint support (T337538)

Mentioned in SAL (#wikimedia-cloud) [2023-06-20T12:11:18Z] <dcaro> deploy toolforge-envvars-cli (upgrades pthyon3-toolforge-weld) (T337538)

dcaro updated the task description. (Show Details)