Merge pull request #13 from gammadia/secrets

Basic secret feature for Jobfiles
tipee-sa · Nov 7, 2023 · 05e2cb7 · 05e2cb7
2 parents ec33143 + cc29906
commit 05e2cb7
Show file tree

Hide file tree

Showing 9 changed files with 287 additions and 241 deletions.
diff --git a/client/jobfile/jobfile.go b/client/jobfile/jobfile.go
@@ -18,6 +18,7 @@ type Jobfile struct {
 	Name     string
 	Steps    []JobfileImage
 	Env      map[string]string
+	Secrets  map[string]string
 	Services map[string]JobfileService
 	Tasks    []string
 }

diff --git a/client/jobfile/reader.go b/client/jobfile/reader.go
@@ -78,6 +78,14 @@ func Read(file string, options ReadOptions) (job *proto.Job, err error) {
 			}
 		})
 	}
+	if len(jobfile.Secrets) > 0 {
+		job.Secrets = lo.MapToSlice(jobfile.Secrets, func(key string, value string) *proto.Job_Env {
+			return &proto.Job_Env{
+				Key:   key,
+				Value: value,
+			}
+		})
+	}
 
 	for name, service := range jobfile.Services {
 		jobService := &proto.Job_Service{

diff --git a/proto/alfred.pb.go b/proto/alfred.pb.go
diff --git a/proto/alfred.proto b/proto/alfred.proto
@@ -21,8 +21,9 @@ message Job {
     string about = 2;
     repeated string steps = 3;
     repeated Env env = 4;
-    repeated Service services = 5;
-    repeated string tasks = 6;
+    repeated Env secrets = 5;
+    repeated Service services = 6;
+    repeated string tasks = 7;
 
     message Service {
         string name = 1;

diff --git a/provisioner/internal/docker.go b/provisioner/internal/docker.go
@@ -2,6 +2,7 @@ package internal
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"log/slog"
@@ -233,14 +234,29 @@ func RunContainer(
 	for i, image := range task.Job.Steps {
 		// Using a func here so that defer are called between each iteration
 		if err := func(stepIndex int) error {
+			secretEnv := []string{}
+			for _, secret := range task.Job.Secrets {
+				if runConfig.SecretLoader == nil {
+					return fmt.Errorf("no secret loader available")
+				}
+				secretData, err := runConfig.SecretLoader(secret.Value)
+				if err != nil {
+					return fmt.Errorf("failed to load secret '%s': %w", secret.Key, err)
+				}
+				secretEnv = append(secretEnv, fmt.Sprintf("%s=%s", secret.Key, base64.StdEncoding.EncodeToString(secretData)))
+			}
+
 			resp, err := docker.ContainerCreate(
 				ctx,
 				&container.Config{
 					Image: image,
 					Env: append(
-						lo.Map(task.Job.Env, func(jobEnv *proto.Job_Env, _ int) string {
-							return fmt.Sprintf("%s=%s", jobEnv.Key, jobEnv.Value)
-						}),
+						append(
+							lo.Map(task.Job.Env, func(jobEnv *proto.Job_Env, _ int) string {
+								return fmt.Sprintf("%s=%s", jobEnv.Key, jobEnv.Value)
+							}),
+							secretEnv...,
+						),
 						[]string{
 							fmt.Sprintf("ALFRED_TASK=%s", task.Name),
 							"ALFRED_SHARED=/alfred/shared",

diff --git a/scheduler/config.go b/scheduler/config.go
@@ -8,13 +8,15 @@ import (
 )
 
 type ArtifactPreserver func(io.Reader, *Task) error
+type SecretLoader func(string) ([]byte, error)
 
 type Config struct {
 	ArtifactPreserver           ArtifactPreserver `json:"-"`
 	Logger                      *slog.Logger      `json:"-"`
 	MaxNodes                    int               `json:"max-nodes"`
 	ProvisioningDelay           time.Duration     `json:"provisioning-delay"`
 	ProvisioningFailureCooldown time.Duration     `json:"provisioning-failure-cooldown"`
+	SecretLoader                SecretLoader      `json:"-"`
 	TasksPerNode                int               `json:"tasks-per-node"`
 }
 

diff --git a/scheduler/node.go b/scheduler/node.go
@@ -26,6 +26,7 @@ func (ns NodeStatus) AsProto() proto.NodeStatus_Status {
 
 type RunTaskConfig struct {
 	ArtifactPreserver ArtifactPreserver
+	SecretLoader      SecretLoader
 }
 
 type Node interface {

diff --git a/scheduler/scheduler.go b/scheduler/scheduler.go
@@ -379,6 +379,7 @@ func (s *Scheduler) watchTaskExecution(nodeState *nodeState, slot int, task *Tas
 
 	runConfig := RunTaskConfig{
 		ArtifactPreserver: s.config.ArtifactPreserver,
+		SecretLoader:      s.config.SecretLoader,
 	}
 
 	task.log.Info("Running task")

diff --git a/server/scheduler.go b/server/scheduler.go
@@ -31,6 +31,7 @@ func createScheduler() error {
 		MaxNodes:                    viper.GetInt(flags.MaxNodes),
 		ProvisioningDelay:           viper.GetDuration(flags.ProvisioningDelay),
 		ProvisioningFailureCooldown: viper.GetDuration(flags.ProvisioningFailureCooldown),
+		SecretLoader:                loadSecret,
 		TasksPerNode:                viper.GetInt(flags.TasksPerNode),
 	}
 	if err := schedulerpkg.Validate(config); err != nil {
@@ -65,6 +66,10 @@ func preserveArtifacts(reader io.Reader, task *schedulerpkg.Task) error {
 	return nil
 }
 
+func loadSecret(secret string) ([]byte, error) {
+	return os.ReadFile(path.Join(dataRoot, "secrets", secret))
+}
+
 func createProvisioner() (schedulerpkg.Provisioner, error) {
 	logger := log.Base.With("component", "provisioner")
 	switch p := viper.GetString(flags.Provisioner); p {