cpl 1.2.0 → 1.4.0

data/lib/command/run_detached.rb

@@ -10,7 +10,8 @@ module Command
       image_option,
       workload_option,
       location_option,
-      use_local_token_option
+      use_local_token_option,
+      clean_on_failure_option
     ].freeze
     DESCRIPTION = "Runs one-off **_non-interactive_** replicas (close analog of `heroku run:detached`)"
     LONG_DESCRIPTION = <<~DESC
@@ -19,50 +20,46 @@ module Command
       - Implemented with only async execution methods, more suitable for production tasks
       - Has alternative log fetch implementation with only JSON-polling and no WebSockets
       - Less responsive but more stable, useful for CI tasks
+      - Deletes the workload whenever finished with success
+      - Deletes the workload whenever finished with failure by default
+      - Use `--no-clean-on-failure` to disable cleanup to help with debugging failed runs
     DESC
     EXAMPLES = <<~EX
       ```sh
       cpl run:detached rails db:prepare -a $APP_NAME
 
       # Need to quote COMMAND if setting ENV value or passing args.
-      cpl run:detached 'LOG_LEVEL=warn rails db:migrate' -a $APP_NAME
-
-      # COMMAND may also be passed at the end.
       cpl run:detached -a $APP_NAME -- 'LOG_LEVEL=warn rails db:migrate'
 
       # Uses a different image (which may not be promoted yet).
-      cpl run:detached rails db:migrate -a $APP_NAME --image appimage:123 # Exact image name
-      cpl run:detached rails db:migrate -a $APP_NAME --image latest       # Latest sequential image
+      cpl run:detached -a $APP_NAME --image appimage:123 -- rails db:migrate # Exact image name
+      cpl run:detached -a $APP_NAME --image latest -- rails db:migrate       # Latest sequential image
 
       # Uses a different workload than `one_off_workload` from `.controlplane/controlplane.yml`.
-      cpl run:detached rails db:migrate:status -a $APP_NAME -w other-workload
+      cpl run:detached -a $APP_NAME -w other-workload -- rails db:migrate:status
 
       # Overrides remote CPLN_TOKEN env variable with local token.
       # Useful when superuser rights are needed in remote container.
-      cpl run:detached rails db:migrate:status -a $APP_NAME --use-local-token
+      cpl run:detached -a $APP_NAME --use-local-token -- rails db:migrate:status
       ```
     EX
 
     WORKLOAD_SLEEP_CHECK = 2
 
-    attr_reader :location, :workload, :one_off, :container
+    attr_reader :location, :workload_to_clone, :workload_clone, :container
 
-    def call # rubocop:disable Metrics/MethodLength
+    def call
       @location = config.location
-      @workload = config.options["workload"] || config[:one_off_workload]
-      @one_off = "#{workload}-runner-#{rand(1000..9999)}"
+      @workload_to_clone = config.options["workload"] || config[:one_off_workload]
+      @workload_clone = "#{workload_to_clone}-runner-#{random_four_digits}"
 
-      step("Cloning workload '#{workload}' on app '#{config.options[:app]}' to '#{one_off}'") do
+      step("Cloning workload '#{workload_to_clone}' on app '#{config.options[:app]}' to '#{workload_clone}'") do
         clone_workload
       end
 
-      wait_for_workload(one_off)
+      wait_for_workload(workload_clone)
       show_logs_waiting
     ensure
-      if cp.fetch_workload(one_off)
-        progress.puts
-        ensure_workload_deleted(one_off)
-      end
       exit(1) if @crashed
     end
 
@@ -70,8 +67,8 @@ module Command
 
     def clone_workload # rubocop:disable Metrics/MethodLength
       # Get base specs of workload
-      spec = cp.fetch_workload!(workload).fetch("spec")
-      container_spec = spec["containers"].detect { _1["name"] == workload } || spec["containers"].first
+      spec = cp.fetch_workload!(workload_to_clone).fetch("spec")
+      container_spec = spec["containers"].detect { _1["name"] == workload_to_clone } || spec["containers"].first
       @container = container_spec["name"]
 
       # remove other containers if any
@@ -101,11 +98,12 @@ module Command
       container_spec.delete("ports")
 
       container_spec["env"] ||= []
-      container_spec["env"] << { "name" => "CONTROLPLANE_TOKEN", "value" => ControlplaneApiDirect.new.api_token }
+      container_spec["env"] << { "name" => "CONTROLPLANE_TOKEN",
+                                 "value" => ControlplaneApiDirect.new.api_token[:token] }
       container_spec["env"] << { "name" => "CONTROLPLANE_RUNNER", "value" => runner_script }
 
       # Create workload clone
-      cp.apply_hash("kind" => "workload", "name" => one_off, "spec" => spec)
+      cp.apply_hash("kind" => "workload", "name" => workload_clone, "spec" => spec)
     end
 
     def runner_script # rubocop:disable Metrics/MethodLength
@@ -119,12 +117,20 @@ module Command
       end
 
       script += <<~SHELL
-        if ! eval "#{args_join(config.args)}"; then echo "----- CRASHED -----"; fi
-
-        echo "-- FINISHED RUNNER SCRIPT, DELETING WORKLOAD --"
-        sleep 10 # grace time for logs propagation
-        curl ${CPLN_ENDPOINT}${CPLN_WORKLOAD} -H "Authorization: ${CONTROLPLANE_TOKEN}" -X DELETE -s -o /dev/null
-        while true; do sleep 1; done # wait for SIGTERM
+        crashed=0
+        if ! eval "#{args_join(config.args)}"; then
+          crashed=1
+          echo "----- CRASHED -----"
+        fi
+        clean_on_failure=#{config.options[:clean_on_failure] ? 1 : 0}
+        if [ $crashed -eq 0 ] || [ $clean_on_failure -eq 1 ]; then
+          echo "-- FINISHED RUNNER SCRIPT, DELETING WORKLOAD --"
+          sleep 30 # grace time for logs propagation
+          curl ${CPLN_ENDPOINT}${CPLN_WORKLOAD} -H "Authorization: ${CONTROLPLANE_TOKEN}" -X DELETE -s -o /dev/null
+          while true; do sleep 1; done # wait for SIGTERM
+        else
+          echo "-- FINISHED RUNNER SCRIPT --"
+        fi
       SHELL
 
       script
@@ -133,7 +139,8 @@ module Command
     def show_logs_waiting # rubocop:disable Metrics/MethodLength
       progress.puts("Scheduled, fetching logs (it's a cron job, so it may take up to a minute to start)...\n\n")
       begin
-        while cp.fetch_workload(one_off)
+        @finished = false
+        while cp.fetch_workload(workload_clone) && !@finished
           sleep(WORKLOAD_SLEEP_CHECK)
           print_uniq_logs
         end
@@ -151,6 +158,7 @@ module Command
 
       (entries - @printed_log_entries).sort.each do |(_ts, val)|
         @crashed = true if val.match?(/^----- CRASHED -----$/)
+        @finished = true if val.match?(/^-- FINISHED RUNNER SCRIPT(, DELETING WORKLOAD)? --$/)
         puts val
       end
 
@@ -158,7 +166,7 @@ module Command
     end
 
     def normalized_log_entries(from:, to:)
-      log = cp.log_get(workload: one_off, from: from, to: to)
+      log = cp.log_get(workload: workload_clone, from: from, to: to)
 
       log["data"]["result"]
         .each_with_object([]) { |obj, result| result.concat(obj["values"]) }

data/lib/command/setup_app.rb

@@ -4,16 +4,19 @@ module Command
   class SetupApp < Base
     NAME = "setup-app"
     OPTIONS = [
-      app_option(required: true)
+      app_option(required: true),
+      skip_secret_access_binding_option
     ].freeze
     DESCRIPTION = "Creates an app and all its workloads"
     LONG_DESCRIPTION = <<~DESC
       - Creates an app and all its workloads
       - Specify the templates for the app and workloads through `setup_app_templates` in the `.controlplane/controlplane.yml` file
       - This should only be used for temporary apps like review apps, never for persistent apps like production (to update workloads for those, use 'cpl apply-template' instead)
+      - Automatically binds the app to the secrets policy, as long as both the identity and the policy exist
+      - Use `--skip-secret-access-binding` to prevent the automatic bind
     DESC
 
-    def call
+    def call # rubocop:disable Metrics/MethodLength
       templates = config[:setup_app_templates]
 
       app = cp.fetch_gvc
@@ -24,6 +27,20 @@ module Command
       end
 
       Cpl::Cli.start(["apply-template", *templates, "-a", config.app])
+
+      return if config.options[:skip_secret_access_binding]
+
+      progress.puts
+
+      if cp.fetch_identity(app_identity).nil? || cp.fetch_policy(app_secrets_policy).nil?
+        raise "Can't bind identity to policy: identity '#{app_identity}' or " \
+              "policy '#{app_secrets_policy}' doesn't exist. " \
+              "Please create them or use `--skip-secret-access-binding` to ignore this message."
+      end
+
+      step("Binding identity to policy") do
+        cp.bind_identity_to_policy(app_identity_link, app_secrets_policy)
+      end
     end
   end
 end

data/lib/core/config.rb

@@ -34,10 +34,18 @@ class Config # rubocop:disable Metrics/ClassLength
     @app ||= load_app_from_options || load_app_from_env
   end
 
+  def app_prefix
+    current&.fetch(:name)
+  end
+
   def location
     @location ||= load_location_from_options || load_location_from_env || load_location_from_file
   end
 
+  def domain
+    @domain ||= load_domain_from_options || load_domain_from_file
+  end
+
   def [](key)
     ensure_current_config!
 
@@ -98,6 +106,24 @@ class Config # rubocop:disable Metrics/ClassLength
     end
   end
 
+  def app_matches?(app_name1, app_name2, app_options)
+    app_name1 && app_name2 &&
+      (app_name1.to_s == app_name2.to_s ||
+        (app_options[:match_if_app_name_starts_with] && app_name1.to_s.start_with?(app_name2.to_s))
+      )
+  end
+
+  def find_app_config(app_name1)
+    @app_configs ||= {}
+
+    @app_configs[app_name1] ||= apps.filter_map do |app_name2, app_config|
+                                  next unless app_matches?(app_name1, app_name2, app_config)
+
+                                  app_config[:name] = app_name2
+                                  app_config
+                                end&.last
+  end
+
   private
 
   def ensure_current_config!
@@ -116,20 +142,6 @@ class Config # rubocop:disable Metrics/ClassLength
     raise "Can't find config for app '#{app_name}' in 'controlplane.yml'." unless app_options
   end
 
-  def app_matches?(app_name1, app_name2, app_options)
-    app_name1 && app_name2 &&
-      (app_name1.to_s == app_name2.to_s ||
-        (app_options[:match_if_app_name_starts_with] && app_name1.to_s.start_with?(app_name2.to_s))
-      )
-  end
-
-  def find_app_config(app_name1)
-    @app_configs ||= {}
-    @app_configs[app_name1] ||= apps.find do |app_name2, app_config|
-                                  app_matches?(app_name1, app_name2, app_config)
-                                end&.last
-  end
-
   def ensure_app!
     return if app
 
@@ -253,6 +265,16 @@ class Config # rubocop:disable Metrics/ClassLength
     strip_str_and_validate(current.fetch(:default_location))
   end
 
+  def load_domain_from_options
+    strip_str_and_validate(options[:domain])
+  end
+
+  def load_domain_from_file
+    return unless current&.key?(:default_domain)
+
+    strip_str_and_validate(current.fetch(:default_domain))
+  end
+
   def warn_deprecated_options(app_options)
     deprecated_option_keys = new_option_keys.select { |old_key| app_options.key?(old_key) }
     return if deprecated_option_keys.empty?

data/lib/core/controlplane.rb

@@ -44,12 +44,13 @@ class Controlplane # rubocop:disable Metrics/ClassLength
     api.query_images(org: a_org, gvc: a_gvc, gvc_op_type: gvc_op)
   end
 
-  def image_build(image, dockerfile:, build_args: [], push: true)
+  def image_build(image, dockerfile:, docker_args: [], build_args: [], push: true)
     # https://docs.controlplane.com/guides/push-image#step-2
     # Might need to use `docker buildx build` if compatiblitity issues arise
     cmd = "docker build --platform=linux/amd64 -t #{image} -f #{dockerfile}"
     cmd += " --progress=plain" if ControlplaneApiDirect.trace
 
+    cmd += " #{docker_args.join(' ')}" if docker_args.any?
     build_args.each { |build_arg| cmd += " --build-arg #{build_arg}" }
     cmd += " #{config.app_dir}"
     perform!(cmd)
@@ -264,13 +265,21 @@ class Controlplane # rubocop:disable Metrics/ClassLength
       route = find_domain_route(domain_data)
       next false if route.nil?
 
-      workloads.any? { |workload| route["workloadLink"].split("/").last == workload }
+      workloads.any? { |workload| route["workloadLink"].match?(%r{/org/#{org}/gvc/#{gvc}/workload/#{workload}}) }
     end
   end
 
-  def get_domain_workload(data)
+  def fetch_domain(domain)
+    domain_data = api.fetch_domain(org: org, domain: domain)
+    route = find_domain_route(domain_data)
+    return nil if route.nil?
+
+    domain_data
+  end
+
+  def domain_workload_matches?(data, workload)
     route = find_domain_route(data)
-    route["workloadLink"].split("/").last
+    route["workloadLink"].match?(%r{/org/#{org}/gvc/#{gvc}/workload/#{workload}})
   end
 
   def set_domain_workload(data, workload)
@@ -291,6 +300,24 @@ class Controlplane # rubocop:disable Metrics/ClassLength
     api.log_get(org: org, gvc: gvc, workload: workload, from: from, to: to)
   end
 
+  # identities
+
+  def fetch_identity(identity, a_gvc = gvc)
+    api.fetch_identity(org: org, gvc: a_gvc, identity: identity)
+  end
+
+  # policies
+
+  def fetch_policy(policy)
+    api.fetch_policy(org: org, policy: policy)
+  end
+
+  def bind_identity_to_policy(identity_link, policy)
+    cmd = "cpln policy add-binding #{policy} --org #{org} --identity #{identity_link} --permission reveal"
+    cmd += " > /dev/null" if Shell.should_hide_output?
+    perform!(cmd)
+  end
+
   # apply
   def apply_template(data) # rubocop:disable Metrics/MethodLength
     Tempfile.create do |f|
@@ -308,7 +335,7 @@ class Controlplane # rubocop:disable Metrics/ClassLength
         Shell.debug("CMD", cmd)
 
         result = `#{cmd}`
-        $CHILD_STATUS.success? ? parse_apply_result(result) : exit(false)
+        $CHILD_STATUS.success? ? parse_apply_result(result) : exit(1)
       end
     end
   end
@@ -361,14 +388,14 @@ class Controlplane # rubocop:disable Metrics/ClassLength
   def perform!(cmd, sensitive_data_pattern: nil)
     Shell.debug("CMD", cmd, sensitive_data_pattern: sensitive_data_pattern)
 
-    system(cmd) || exit(false)
+    system(cmd) || exit(1)
   end
 
   def perform_yaml(cmd)
     Shell.debug("CMD", cmd)
 
     result = `#{cmd}`
-    $CHILD_STATUS.success? ? YAML.safe_load(result) : exit(false)
+    $CHILD_STATUS.success? ? YAML.safe_load(result) : exit(1)
   end
 
   def gvc_org

data/lib/core/controlplane_api.rb

@@ -94,6 +94,10 @@ class ControlplaneApi # rubocop:disable Metrics/ClassLength
     api_json("/org/#{org}/gvc/#{gvc}/volumeset/#{volumeset}", method: :delete)
   end
 
+  def fetch_domain(org:, domain:)
+    api_json("/org/#{org}/domain/#{domain}", method: :get)
+  end
+
   def list_domains(org:)
     api_json("/org/#{org}/domain", method: :get)
   end
@@ -102,6 +106,14 @@ class ControlplaneApi # rubocop:disable Metrics/ClassLength
     api_json("/org/#{org}/domain/#{domain}", method: :patch, body: data)
   end
 
+  def fetch_identity(org:, gvc:, identity:)
+    api_json("/org/#{org}/gvc/#{gvc}/identity/#{identity}", method: :get)
+  end
+
+  def fetch_policy(org:, policy:)
+    api_json("/org/#{org}/policy/#{policy}", method: :get)
+  end
+
   private
 
   def fetch_query_pages(result)

data/lib/core/controlplane_api_direct.rb

@@ -16,6 +16,7 @@ class ControlplaneApiDirect
   # ).freeze
 
   API_TOKEN_REGEX = /^[\w\-._]+$/.freeze
+  API_TOKEN_EXPIRY_SECONDS = 300
 
   class << self
     attr_accessor :trace
@@ -26,7 +27,10 @@ class ControlplaneApiDirect
     uri = URI("#{api_host(host)}#{url}")
     request = API_METHODS[method].new(uri)
     request["Content-Type"] = "application/json"
-    request["Authorization"] = api_token
+
+    refresh_api_token if should_refresh_api_token?
+
+    request["Authorization"] = api_token[:token]
     request.body = body.to_json if body
 
     Shell.debug(method.upcase, "#{uri} #{body&.to_json}")
@@ -62,17 +66,41 @@ class ControlplaneApiDirect
   end
 
   # rubocop:disable Style/ClassVars
-  def api_token
+  def api_token # rubocop:disable Metrics/MethodLength
     return @@api_token if defined?(@@api_token)
 
-    @@api_token = ENV.fetch("CPLN_TOKEN", nil)
-    @@api_token = `cpln profile token`.chomp if @@api_token.nil?
-    return @@api_token if @@api_token.match?(API_TOKEN_REGEX)
+    @@api_token = {
+      token: ENV.fetch("CPLN_TOKEN", nil),
+      comes_from_profile: false
+    }
+    if @@api_token[:token].nil?
+      @@api_token = {
+        token: `cpln profile token`.chomp,
+        comes_from_profile: true
+      }
+    end
+    return @@api_token if @@api_token[:token].match?(API_TOKEN_REGEX)
 
     raise "Unknown API token format. " \
           "Please re-run 'cpln profile login' or set the correct CPLN_TOKEN env variable."
   end
 
+  # Returns `true` when the token is about to expire in 5 minutes
+  def should_refresh_api_token?
+    return false unless api_token[:comes_from_profile]
+
+    payload, = JWT.decode(api_token[:token], nil, false)
+    difference_in_seconds = payload["exp"] - Time.now.to_i
+
+    difference_in_seconds <= API_TOKEN_EXPIRY_SECONDS
+  rescue JWT::DecodeError
+    false
+  end
+
+  def refresh_api_token
+    @@api_token[:token] = `cpln profile token`.chomp
+  end
+
   def self.reset_api_token
     remove_class_variable(:@@api_token) if defined?(@@api_token)
   end

data/lib/core/helpers.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "securerandom"
+
 module Helpers
   def strip_str_and_validate(str)
     return str if str.nil?
@@ -7,4 +9,8 @@ module Helpers
     str = str.strip
     str.empty? ? nil : str
   end
+
+  def random_four_digits
+    SecureRandom.random_number(1000..9999)
+  end
 end

data/lib/cpl/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Cpl
-  VERSION = "1.2.0"
+  VERSION = "1.4.0"
   MIN_CPLN_VERSION = "0.0.71"
 end

data/lib/cpl.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
+require "date"
 require "dotenv/load"
 require "cgi"
 require "json"
+require "jwt"
 require "net/http"
 require "pathname"
 require "tempfile"
@@ -142,6 +144,7 @@ module Cpl
       requires_args = command_class::REQUIRES_ARGS
       default_args = command_class::DEFAULT_ARGS
       command_options = command_class::OPTIONS + ::Command::Base.common_options
+      accepts_extra_options = command_class::ACCEPTS_EXTRA_OPTIONS
       description = command_class::DESCRIPTION
       long_description = command_class::LONG_DESCRIPTION
       examples = command_class::EXAMPLES
@@ -178,7 +181,9 @@ module Cpl
                  default_args
                end
 
-        raise_args_error.call(args, nil) if (args.empty? && requires_args) || (!args.empty? && !requires_args)
+        if (args.empty? && requires_args) || (!args.empty? && !requires_args && !accepts_extra_options)
+          raise_args_error.call(args, nil)
+        end
 
         begin
           config = Config.new(args, options, required_options)

data/lib/generator_templates/controlplane.yml

@@ -19,10 +19,15 @@ aliases:
     one_off_workload: rails
 
     # Workloads that are for the application itself and are using application Docker images.
+    # These are updated with the new image when running the `deploy-image` command,
+    # and are also used by the `info`, `ps:`, and `run:cleanup` commands in order to get all of the defined workloads.
+    # On the other hand, if you have a workload for Redis, that would NOT use the application Docker image
+    # and not be listed here.
     app_workloads:
       - rails
 
     # Additional "service type" workloads, using non-application Docker images.
+    # These are only used by the `info`, `ps:` and `run:cleanup` commands in order to get all of the defined workloads.
     additional_workloads:
       - postgres
 

data/lib/generator_templates/templates/gvc.yml

@@ -1,15 +1,15 @@
 # Template setup of the GVC, roughly corresponding to a Heroku app
 kind: gvc
-name: APP_GVC
+name: {{APP_NAME}}
 spec:
   # For using templates for test apps, put ENV values here, stored in git repo.
   # Production apps will have values configured manually after app creation.
   env:
     - name: DATABASE_URL
-      # Password does not matter because host postgres.APP_GVC.cpln.local can only be accessed
+      # Password does not matter because host postgres.{{APP_NAME}}.cpln.local can only be accessed
       # locally within CPLN GVC, and postgres running on a CPLN workload is something only for a
       # test app that lacks persistence.
-      value: 'postgres://the_user:the_password@postgres.APP_GVC.cpln.local:5432/APP_GVC'
+      value: 'postgres://the_user:the_password@postgres.{{APP_NAME}}.cpln.local:5432/{{APP_NAME}}'
     - name: RAILS_ENV
       value: production
     - name: RAILS_SERVE_STATIC_FILES
@@ -18,4 +18,4 @@ spec:
   # Part of standard configuration
   staticPlacement:
     locationLinks:
-      - /org/APP_ORG/location/APP_LOCATION
+      - {{APP_LOCATION_LINK}}

data/lib/generator_templates/templates/postgres.yml

@@ -106,7 +106,7 @@ bindings:
 #      - use
 #      - view
     principalLinks:
-      - //gvc/APP_GVC/identity/postgres-poc-identity
+      - //gvc/{{APP_NAME}}/identity/postgres-poc-identity
 targetKind: secret
 targetLinks:
   - //secret/postgres-poc-credentials

data/lib/generator_templates/templates/rails.yml

@@ -14,7 +14,7 @@ spec:
           value: debug
       # Inherit other ENV values from GVC
       inheritEnv: true
-      image: '/org/APP_ORG/image/APP_IMAGE'
+      image: {{APP_IMAGE_LINK}}
       # 512 corresponds to a standard 1x dyno type
       memory: 512Mi
       ports:

data/script/check_cpln_links

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+bad_links=("controlplane.com/shakacode")
+proper_links=("shakacode.controlplane.com")
+
+bold=$(tput bold)
+normal=$(tput sgr0)
+
+exit_status=0
+accumulated_results=""
+seen_bad_links_indexes=()
+
+for ((idx = 0; idx < ${#bad_links[@]}; idx++)); do
+    results=$(git grep \
+        --recursive \
+        --line-number \
+        --fixed-strings \
+        --break \
+        --heading \
+        --color=always -- \
+        "${bad_links[idx]}" \
+        ':!script/check_cpln_links')
+
+    # Line would become really unwieldly if everything was mushed into the
+    # conditional, so let's ignore this check here.
+    # shellcheck disable=SC2181
+    if [ $? -eq 0 ]; then
+        accumulated_results+="$results"
+        seen_bad_links_indexes+=("$idx")
+        exit_status=1
+    fi
+done
+
+if [ "$exit_status" -eq 1 ]; then
+    echo "${bold}[!] Found the following bad links:${normal}"
+    echo ""
+    echo "$accumulated_results"
+    echo ""
+    echo "${bold}[*] Please update accordingly:${normal}"
+    for bad_link_index in "${seen_bad_links_indexes[@]}"; do
+        echo "  ${bad_links[bad_link_index]} -> ${proper_links[bad_link_index]}"
+    done
+fi
+
+exit "$exit_status"

data/templates/daily-task.yml

@@ -18,7 +18,7 @@ spec:
         - rails
         - db:prepare
       inheritEnv: true
-      image: "/org/APP_ORG/image/APP_IMAGE"
+      image: {{APP_IMAGE_LINK}}
   defaultOptions:
     autoscaling:
       minScale: 1
@@ -28,4 +28,5 @@ spec:
     external:
       outboundAllowCIDR:
         - 0.0.0.0/0
-  identityLink: /org/APP_ORG/gvc/APP_GVC/identity/APP_GVC-identity
+  # Identity is used for binding workload to secrets
+  identityLink: {{APP_IDENTITY_LINK}}

data/templates/gvc.yml

@@ -1,13 +1,13 @@
 kind: gvc
-name: APP_GVC
+name: {{APP_NAME}}
 spec:
   env:
     - name: MEMCACHE_SERVERS
-      value: memcached.APP_GVC.cpln.local
+      value: memcached.{{APP_NAME}}.cpln.local
     - name: REDIS_URL
-      value: redis://redis.APP_GVC.cpln.local:6379
+      value: redis://redis.{{APP_NAME}}.cpln.local:6379
     - name: DATABASE_URL
-      value: postgres://postgres:password123@postgres.APP_GVC.cpln.local:5432/APP_GVC
+      value: postgres://postgres:password123@postgres.{{APP_NAME}}.cpln.local:5432/{{APP_NAME}}
   staticPlacement:
     locationLinks:
-      - /org/APP_ORG/location/APP_LOCATION
+      - {{APP_LOCATION_LINK}}

data/templates/identity.yml

@@ -1,2 +1,3 @@
+# Identity is needed to access secrets
 kind: identity
-name: APP_GVC-identity
+name: {{APP_IDENTITY}}