on_container 0.0.6 → 0.0.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 54acf33df99c8d0323a3a2878ac9072c31c7c4a2
-  data.tar.gz: a88bcc23ee64939e3c6b07456857d3e05e9fdc3e
+SHA256:
+  metadata.gz: 819d1f5a057f277e3b816eedd99435c9816b6d1ec6ff2e79e2d90798b5b74648
+  data.tar.gz: 163f0552ec15c2b0199934ec81313d8708877339e20504c427f270e228ecc94b
 SHA512:
-  metadata.gz: 4cf35805030790922726531669e44e90a425b83b9053215b4c8ea3d9dac8694e1b528b948471c21800bdc4eebf75e404cb6d2d46f50d8b7d0cbe9da6e4d0991e
-  data.tar.gz: 2e4a92754340093502d2f543fd465d980919cf24862aed26cab16199eeb063920968c509df77eada10cc4a65ec217700f45f854c86e4ab2e086f7d1c8d7656ae
+  metadata.gz: 16c10e11aa18e20cd8fb02ee53018f5477c1ec661ef6c43329b6c0a74814d0bb7b00f785c9966f2006670e0c73858c36d719ff5177ece9b35fb54fbc33743808
+  data.tar.gz: 900379b6246d9d44f301a81213e965feec8cb1235bd514fc9235b3e5fd5dc97b5f91399f25b18ac7efd0596e9a15e878766f85726e98040b30a688e80f0519db

data/README.md

@@ -22,7 +22,118 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+### Development Routines & Docker Entrypoint Scripts
+
+We use some routines included in this gem to create compelling development entrypoint scripts for docker development containers.
+
+In this example, we'll be using the `on_container/dev/rails` routine bundle to create our dev entrypoint:
+
+```ruby
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'on_container/dev/rails'
+
+set_given_or_default_command
+
+# `on_setup_lock_acquired` prevents multiple app containers from running
+# the setup process concurrently:
+on_setup_lock_acquired do
+  ensure_project_gems_are_installed
+  ensure_project_node_packages_are_installed
+
+  wait_for_service_to_accept_connections 'tcp://postgres:5432'
+  setup_activerecord_database unless activerecord_database_ready?
+
+  remove_rails_pidfile if rails_server?
+end if command_requires_setup?
+
+execute_given_or_default_command
+```
+
+### Loading secrets into environment variables
+
+When using Docker Swarm, the secrets are loaded as files mounted into the container's filesystem.
+
+The `on_container/load_env_secrets` runs a couple of routines that reads these files into environment variables.
+
+For our Rails example app, we added the following line to the `config/boot.rb` file:
+
+```ruby
+# frozen_string_literal: true
+
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+
+require 'bundler/setup' # Set up gems listed in the Gemfile.
+require 'bootsnap/setup' # Speed up boot time by caching expensive operations.
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+#### Loading Google Cloud Secret Manager secrets into ENV
+
+If you require loading YAML data stored at [Google Cloud Secret Manager](https://cloud.google.com/secret-manager),
+you will require the following steps:
+
+1. Install the `google-cloud-secret_manager` gem
+
+On your gemfile:
+
+```ruby
+# Read secrets from Google Cloud Secret Manager
+gem 'google-cloud-secret_manager', '~> 1.0'
+```
+
+2. Require it at `config/boot.rb`
+
+On `config/boot`, right before requiring `on_container/load_env_secrets`:
+
+```ruby
+# Require Google Cloud Secret Manager to enable 'on_container/load_env_secrets'
+# loading secrets from GCP to ENV:
+require 'google/cloud/secret_manager'
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+3. Make sure your app has google cloud credentials configured, and have access
+to the secrets your'e planning to use.
+
+4. Configure any number of environment variables ending with
+`_GOOGLE_CLOUD_SECRET`, each containing the secret you want to load. In the
+following example, the command to deploy an image into Google Cloud Run:
+
+```bash
+gcloud run deploy my-demo-app \
+  --platform "managed" \
+  --region us-central1 \
+  --allow-unauthenticated \
+  --set-env-vars A_GOOGLE_CLOUD_SECRET=my-super-secret \
+  --set-env-vars ANOTHER_GOOGLE_CLOUD_SECRET=project/another-project/secrets/another-secret/versions/1 \
+  --service-account=my-demo-service-account@google-cloud \
+  --image gcr.io/my-demo-project/my-demo-app:latest
+```
+#### Inserting credentials into URL environment variables
+
+The `on_container/load_env_secrets` also merges any credential available in environment variables into any matching
+`_URL` environment variable. For example, consider the following environment variables:
+
+```shell
+DATABASE_URL=postgres://postgres:5432/?encoding=unicode
+DATABASE_USER=postgres
+DATABASE_PASS=3x4mpl3P455w0rd
+```
+
+The routine will merge `DATABASE_USER` and `DATABASE_PASS` into `DATABASE_URL`:
+
+```ruby
+puts ENV['DATABASE_URL']
+> postgres://postgres:3x4mpl3P455w0rd@postgres:5432/?encoding=unicode
+```
+
 
 ## Development
 
@@ -32,7 +143,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
 
 
 ## License
@@ -41,4 +152,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).

data/lib/on_container/common/performable.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module OnContainer
+  module Common
+    module Performable
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        def perform!(*args, **kargs)
+          new(*args, **kargs).perform!
+        end
+      end
+    end
+  end
+end

data/lib/on_container/common/safe_performable.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'on_container/common/performable'
+
+module OnContainer
+  module Common
+    module SafePerformable
+      def self.included(base)
+        base.include OnContainer::Common::Performable
+        base.extend ClassMethods
+      end
+      
+      def perform(*args, **kargs)
+        perform!(*args, **kargs)
+      rescue
+        false
+      end
+
+      module ClassMethods
+        def perform(*args, **kargs)
+          new(*args, **kargs).perform
+        end
+      end
+    end
+  end
+end

data/lib/on_container/dev/active_record_ops.rb

@@ -26,15 +26,7 @@ module OnContainer
       end
       
       def establish_activerecord_database_connection
-        unless defined?(ActiveRecord)
-          require 'rubygems'
-          require 'bundler'
-
-          Bundler.setup(:default)
-
-          require 'active_record'
-        end
-
+        require 'active_record' unless defined?(ActiveRecord)
         ActiveRecord::Base.establish_connection activerecord_config
         ActiveRecord::Base.connection_pool.with_connection { |connection| }
       end

data/lib/on_container/load_env_secrets.rb

@@ -6,12 +6,16 @@
 require 'active_support'
 require 'active_support/core_ext/object'
 
+# Load secrets from Google Cloud Secret Manager to ENV, if any:
+require 'on_container/secrets/google_cloud/env_loader'
+OnContainer::Secrets::GoogleCloud::EnvLoader.perform!
+
 # Process only a known list of env vars that can filled by reading a file (i.e.
 # a docker secret):
-Dir["#{ENV.fetch('SECRETS_PATH', '/run/secrets/')}*"].each do |secret_filepath|
-  next unless File.file?(secret_filepath)
-
-  secret_envvarname = File.basename(secret_filepath, '.*').upcase
+Dir["#{ENV.fetch('SECRETS_PATH', '/run/secrets')}/**/*"].map do |path|
+  Pathname.new(path)
+end.select(&:file?).each do |secret_filepath|
+  secret_envvarname = secret_filepath.basename('.*').to_s.upcase
 
   # Skip if variable is already set - already-set variables have precedence over
   # the secret files:
@@ -39,12 +43,16 @@ url_keys.each do |url_key|
   next unless credential_keys.any?
 
   uri = URI(ENV[url_key])
-  username = URI.encode_www_form_component ENV[credential_keys.detect { |key| key =~ /USER/ }]
-  password = URI.encode_www_form_component ENV[credential_keys.detect { |key| key =~ /PASS/ }]
 
-  uri.user = username if username
-  uri.password = password if password
+  credential_keys.each do |credential_key|
+    credential_value = URI.encode_www_form_component ENV[credential_key]
+    case credential_key
+    when /USER/ then uri.user = credential_value
+    when /PASS/ then uri.password = credential_value
+    end
+  end
+
   ENV[url_key] = uri.to_s
 end
 
-# STDERR.puts ENV.inspect
+# STDERR.puts ENV.inspect

data/lib/on_container/secrets/google_cloud/env_loader.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "on_container/secrets/google_cloud/fetcher"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class EnvLoader < ServiceBase
+        ENV_KEY_SUFIX = '_GOOGLE_CLOUD_SECRET'
+    
+        def env_keys
+          @env_keys ||= ENV.keys.select do |key|
+            key.end_with?(ENV_KEY_SUFIX)
+          end.sort
+        end
+    
+        def env_keys?
+          env_keys.any?
+        end
+    
+        def secret_manager?
+          defined?(Google::Cloud::SecretManager) == 'constant'
+        end
+    
+        def perform!
+          return unless env_keys? && secret_manager?
+    
+          env_keys.each do |key|
+            ENV.merge! Fetcher.perform! ENV[key], client: client
+          end
+    
+          true
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/fetcher.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'on_container/secrets/google_cloud/service_base'
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class Fetcher < ServiceBase
+        PROJECT_PATTERN = %r{\Aprojects\/(\w+)\/.*}.freeze
+        SECRET_NAME_PATTERN = %r{secrets\/([\w-]+)\/?}.freeze
+        SECRET_VERSION_PATTERN = %r{versions\/(\d+|latest)\z}.freeze
+        
+        attr_reader :project, :secret_name, :secret_version
+    
+        def initialize(given_key, client: nil)
+          @client = client
+          @project = extract_project given_key
+          @secret_version = extract_secret_version given_key
+          @secret_name = extract_secret_name given_key
+        end
+    
+        def perform!
+          # Build the resource name of the secret version.
+          name = client.secret_version_path project:        @project,
+                                            secret:         @secret_name,
+                                            secret_version: @secret_version
+      
+          version = client.access_secret_version name: name
+      
+          YAML.load version.payload.data
+        end
+    
+        protected
+    
+        def default_project
+          ENV['GOOGLE_CLOUD_PROJECT']
+        end
+    
+        def extract_project(given_key)
+          match = given_key.match(PROJECT_PATTERN)
+          return default_project unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_version(given_key)
+          match = given_key.match(SECRET_VERSION_PATTERN)
+          return 'latest' unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_name(given_key)
+          given_key
+            .sub("projects/#{@project}/secrets/", '')
+            .sub("/versions/#{@secret_version}", '')
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/service_base.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "on_container/common/safe_performable"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class ServiceBase
+        include OnContainer::Common::SafePerformable
+        
+        attr_reader :client
+    
+        def client
+          @client ||= Google::Cloud::SecretManager.secret_manager_service
+        end
+      end
+    end
+  end
+end

data/lib/on_container/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OnContainer
-  VERSION = '0.0.6'
+  VERSION = '0.0.11'
 end

data/on_container.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
 
   spec.metadata['homepage_uri']    = spec.homepage
   spec.metadata['source_code_uri'] = spec.homepage
-  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/master/CHANGELOG.md"
+  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/main/CHANGELOG.md"
 
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.files         = `git ls-files -- lib/* *.md *.gemspec *.txt Rakefile`.split("\n")
@@ -24,5 +24,5 @@ Gem::Specification.new do |spec|
   spec.bindir        = 'exe'
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.17'
+  spec.add_development_dependency 'bundler', '~> 2.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: on_container
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.0.11
 platform: ruby
 authors:
 - Roberto Quintanilla
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-28 00:00:00.000000000 Z
+date: 2021-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '2.1'
 description: A small collection of scripts and routines to help ruby development within
   containers
 email:
@@ -38,6 +38,8 @@ files:
 - README.md
 - Rakefile
 - lib/on_container.rb
+- lib/on_container/common/performable.rb
+- lib/on_container/common/safe_performable.rb
 - lib/on_container/dev/active_record_ops.rb
 - lib/on_container/dev/bundler_ops.rb
 - lib/on_container/dev/container_command_ops.rb
@@ -47,12 +49,11 @@ files:
 - lib/on_container/dev/setup_ops.rb
 - lib/on_container/load_env_secrets.rb
 - lib/on_container/ops/service_connection_checks.rb
-- lib/on_container/step_down_from_root.rb
+- lib/on_container/secrets/google_cloud/env_loader.rb
+- lib/on_container/secrets/google_cloud/fetcher.rb
+- lib/on_container/secrets/google_cloud/service_base.rb
 - lib/on_container/version.rb
 - on_container.gemspec
-- spec/on_container_spec.rb
-- spec/spec_helper.rb
-- spec/step_down_from_root_spec.rb
 homepage: https://github.com/IcaliaLabs/on-container-for-ruby
 licenses:
 - MIT
@@ -60,7 +61,7 @@ metadata:
   allowed_push_host: https://rubygems.org
   homepage_uri: https://github.com/IcaliaLabs/on-container-for-ruby
   source_code_uri: https://github.com/IcaliaLabs/on-container-for-ruby
-  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/master/CHANGELOG.md
+  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -76,13 +77,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: A small collection of scripts and routines to help ruby development within
   containers
-test_files:
-- spec/on_container_spec.rb
-- spec/spec_helper.rb
-- spec/step_down_from_root_spec.rb
+test_files: []

data/lib/on_container/step_down_from_root.rb

@@ -1,55 +0,0 @@
-# frozen_string_literal: true
-
-require 'etc'
-
-module OnContainer
-  class StepDownFromRoot
-    attr_reader :curent_user, :target_user
-    
-    def initialize
-      @curent_user = Etc.getpwuid
-    end
-
-    def target_user
-      @target_user ||= Etc.getpwuid(developer_uid)
-    end
-
-    def perform
-      return unless root_user?
-      return warn_no_developer_uid unless developer_uid?
-
-      switch_to_developer_user
-    end
-
-    def root_user?
-      curent_user.name == 'root'
-    end
-
-    def developer_uid?
-      developer_uid > 0
-    end
-
-    def developer_uid
-      @developer_uid ||= ENV.fetch('DEVELOPER_UID', '').to_i
-    end
-
-    protected
-
-    def switch_to_developer_user
-      target_user_name = target_user.name
-      puts "Switching from 'root' user to '#{target_user_name}'..."
-      Kernel.exec 'su-exec', target_user_name, $0, *$*
-    end
-
-    def warn_no_developer_uid
-      puts "The 'DEVELOPER_UID' environment variable is not set... " \
-           'still running as root!'
-    end
-
-    def self.perform
-      new.perform
-    end
-  end
-end
-
-OnContainer::StepDownFromRoot.perform

data/spec/on_container_spec.rb

@@ -1,5 +0,0 @@
-RSpec.describe OnContainer do
-  it "has a version number" do
-    expect(OnContainer::VERSION).not_to be nil
-  end
-end

data/spec/spec_helper.rb

@@ -1,14 +0,0 @@
-require "bundler/setup"
-require "on_container"
-
-RSpec.configure do |config|
-  # Enable flags like --only-failures and --next-failure
-  config.example_status_persistence_file_path = ".rspec_status"
-
-  # Disable RSpec exposing methods globally on `Module` and `main`
-  config.disable_monkey_patching!
-
-  config.expect_with :rspec do |c|
-    c.syntax = :expect
-  end
-end

data/spec/step_down_from_root_spec.rb

@@ -1,63 +0,0 @@
-# frozen_string_literal: true
-
-require 'on_container/step_down_from_root'
-
-RSpec.describe OnContainer::StepDownFromRoot do
-  let(:root_user) do
-    instance_double "struct Etc::Passwd",
-                    name: 'root',
-                    passwd: 'x',
-                    uid: 0,
-                    gid: 0,
-                    gecos: 'root',
-                    dir: '/root',
-                    shell: '/bin/bash'
-  end
-
-  let(:developer_user) do
-    instance_double "struct Etc::Passwd",
-                    name: 'developer',
-                    passwd: 'x',
-                    uid: 1000,
-                    gid: 1000,
-                    gecos: 'Developer User,,,',
-                    dir: '/usr/src',
-                    shell: '/bin/bash'
-  end
-
-  let(:example_current_user) { root_user }
-  let(:example_target_user) { developer_user }
-  let(:example_developer_uid) { '1000' }
-
-  before do
-    allow(ENV).to receive(:fetch).with('DEVELOPER_UID', '') { example_developer_uid }
-    allow(Etc).to receive(:getpwuid) { example_current_user }
-    allow(Etc).to receive(:getpwuid).with(example_target_user.uid) { example_target_user }
-    allow(Kernel).to receive(:exec).with('su-exec', example_target_user.name, any_args)
-  end
-
-  describe '#perform' do
-    it 'changes to the target user' do
-      subject.perform
-      expect(Kernel).to have_received(:exec).with 'su-exec', example_target_user.name, any_args
-    end
-
-    context 'without a developer uid' do
-      let(:example_developer_uid) { '' }
-      
-      example 'does not change the current user' do
-        subject.perform
-        expect(Kernel).not_to have_received(:exec)
-      end
-    end
-
-    context 'when not as root' do
-      let(:example_current_user) { developer_user }
-      
-      example 'does not change the current user' do
-        subject.perform
-        expect(Kernel).not_to have_received(:exec)
-      end
-    end
-  end
-end