on_container 0.0.9 → 0.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0b3faf030bfb28175d373fcaf06d219b8e89eae377a881e0655b0ea71a4248d9
4
- data.tar.gz: 4b0a1a13bfea4e50a199b92caf15cf8c53361e03f4312057a0c10f7e33fa8e8a
3
+ metadata.gz: e6c46418633fff79b878ba857ac1b36975ec48cf8b267e97a040ea539c303465
4
+ data.tar.gz: 624f71fb481da53a8d7631baaf20b9900c5e9e8a4535ef28bb79bb5b20640bc0
5
5
  SHA512:
6
- metadata.gz: ff47344c4ca8270ffc7b3aebc028aecc7bc1858bcb50016301c65c21e2ec94dfe0b4a334d18e7c4fa5722f319fd14c72808246094d707dcae15c3f5e8625d9e9
7
- data.tar.gz: 166f0b25ea8db2af892eeeabffe15d96419d57688f9f6531d5f6fb88f7b7a9b6551a00e5049264cf6245eff9566bfa270404cd1af58fec6315593cc8b5a8fcb2
6
+ metadata.gz: 4da835630be42d7f2342675fea85adf95407db9d247d8de7c0f229a24d48545af30d4994f9efccc31edea2b5799fd03fb1a5ac420b8d1680714679f5751e5d89
7
+ data.tar.gz: d9d63e78760abd70219f254e5ae7ba7465862037c8fe6792c1807efbb5c300bb513738074bea9bec92c32e4948fef791ef7131856ffaac09781724e76e325f7b
data/README.md CHANGED
@@ -52,7 +52,7 @@ end if command_requires_setup?
52
52
  execute_given_or_default_command
53
53
  ```
54
54
 
55
- ### Loading secrets into environment variables, and inserting credentials into URL environment variables
55
+ ### Loading secrets into environment variables
56
56
 
57
57
  When using Docker Swarm, the secrets are loaded as files mounted into the container's filesystem.
58
58
 
@@ -65,11 +65,58 @@ For our Rails example app, we added the following line to the `config/boot.rb` f
65
65
 
66
66
  ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
67
67
 
68
- require 'on_container/load_env_secrets' # Load secrets injected by Kubernetes/Swarm
69
-
70
68
  require 'bundler/setup' # Set up gems listed in the Gemfile.
71
69
  require 'bootsnap/setup' # Speed up boot time by caching expensive operations.
70
+
71
+ # Load swarm/gcp secrets to ENV:
72
+ require 'on_container/load_env_secrets'
73
+ ```
74
+
75
+ #### Loading Google Cloud Secret Manager secrets into ENV
76
+
77
+ If you require loading YAML data stored at [Google Cloud Secret Manager](https://cloud.google.com/secret-manager),
78
+ you will require the following steps:
79
+
80
+ 1. Install the `google-cloud-secret_manager` gem
81
+
82
+ On your gemfile:
83
+
84
+ ```ruby
85
+ # Read secrets from Google Cloud Secret Manager
86
+ gem 'google-cloud-secret_manager', '~> 1.0'
87
+ ```
88
+
89
+ 2. Require it at `config/boot.rb`
90
+
91
+ On `config/boot`, right before requiring `on_container/load_env_secrets`:
92
+
93
+ ```ruby
94
+ # Require Google Cloud Secret Manager to enable 'on_container/load_env_secrets'
95
+ # loading secrets from GCP to ENV:
96
+ require 'google/cloud/secret_manager'
97
+
98
+ # Load swarm/gcp secrets to ENV:
99
+ require 'on_container/load_env_secrets'
100
+ ```
101
+
102
+ 3. Make sure your app has google cloud credentials configured, and have access
103
+ to the secrets your'e planning to use.
104
+
105
+ 4. Configure any number of environment variables ending with
106
+ `_GOOGLE_CLOUD_SECRET`, each containing the secret you want to load. In the
107
+ following example, the command to deploy an image into Google Cloud Run:
108
+
109
+ ```bash
110
+ gcloud run deploy my-demo-app \
111
+ --platform "managed" \
112
+ --region us-central1 \
113
+ --allow-unauthenticated \
114
+ --set-env-vars A_GOOGLE_CLOUD_SECRET=my-super-secret \
115
+ --set-env-vars ANOTHER_GOOGLE_CLOUD_SECRET=project/another-project/secrets/another-secret/versions/1 \
116
+ --service-account=my-demo-service-account@google-cloud \
117
+ --image gcr.io/my-demo-project/my-demo-app:latest
72
118
  ```
119
+ #### Inserting credentials into URL environment variables
73
120
 
74
121
  The `on_container/load_env_secrets` also merges any credential available in environment variables into any matching
75
122
  `_URL` environment variable. For example, consider the following environment variables:
@@ -96,7 +143,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
96
143
 
97
144
  ## Contributing
98
145
 
99
- Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
146
+ Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
100
147
 
101
148
 
102
149
  ## License
@@ -105,4 +152,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
105
152
 
106
153
  ## Code of Conduct
107
154
 
108
- Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
155
+ Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
@@ -0,0 +1,17 @@
1
+ # frozen_string_literal: true
2
+
3
+ module OnContainer
4
+ module Common
5
+ module Performable
6
+ def self.included(base)
7
+ base.extend ClassMethods
8
+ end
9
+
10
+ module ClassMethods
11
+ def perform!(*args, **kargs)
12
+ new(*args, **kargs).perform!
13
+ end
14
+ end
15
+ end
16
+ end
17
+ end
@@ -0,0 +1,26 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'on_container/common/performable'
4
+
5
+ module OnContainer
6
+ module Common
7
+ module SafePerformable
8
+ def self.included(base)
9
+ base.include OnContainer::Common::Performable
10
+ base.extend ClassMethods
11
+ end
12
+
13
+ def perform(*args, **kargs)
14
+ perform!(*args, **kargs)
15
+ rescue
16
+ false
17
+ end
18
+
19
+ module ClassMethods
20
+ def perform(*args, **kargs)
21
+ new(*args, **kargs).perform
22
+ end
23
+ end
24
+ end
25
+ end
26
+ end
@@ -6,6 +6,10 @@
6
6
  require 'active_support'
7
7
  require 'active_support/core_ext/object'
8
8
 
9
+ # Load secrets from Google Cloud Secret Manager to ENV, if any:
10
+ require 'on_container/secrets/google_cloud/env_loader'
11
+ OnContainer::Secrets::GoogleCloud::EnvLoader.perform!
12
+
9
13
  # Process only a known list of env vars that can filled by reading a file (i.e.
10
14
  # a docker secret):
11
15
  Dir["#{ENV.fetch('SECRETS_PATH', '/run/secrets/')}*"].each do |secret_filepath|
@@ -0,0 +1,37 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "on_container/secrets/google_cloud/fetcher"
4
+
5
+ module OnContainer
6
+ module Secrets
7
+ module GoogleCloud
8
+ class EnvLoader < ServiceBase
9
+ ENV_KEY_SUFIX = '_GOOGLE_CLOUD_SECRET'
10
+
11
+ def env_keys
12
+ @env_keys ||= ENV.keys.select do |key|
13
+ key.end_with?(ENV_KEY_SUFIX)
14
+ end.sort
15
+ end
16
+
17
+ def env_keys?
18
+ env_keys.any?
19
+ end
20
+
21
+ def secret_manager?
22
+ defined?(Google::Cloud::SecretManager) == 'constant'
23
+ end
24
+
25
+ def perform!
26
+ return unless env_keys? && secret_manager?
27
+
28
+ env_keys.each do |key|
29
+ ENV.merge! Fetcher.perform! ENV[key], client: client
30
+ end
31
+
32
+ true
33
+ end
34
+ end
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,62 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'yaml'
4
+ require 'on_container/secrets/google_cloud/service_base'
5
+
6
+ module OnContainer
7
+ module Secrets
8
+ module GoogleCloud
9
+ class Fetcher < ServiceBase
10
+ PROJECT_PATTERN = %r{\Aprojects\/(\w+)\/.*}.freeze
11
+ SECRET_NAME_PATTERN = %r{secrets\/([\w-]+)\/?}.freeze
12
+ SECRET_VERSION_PATTERN = %r{versions\/(\d+|latest)\z}.freeze
13
+
14
+ attr_reader :project, :secret_name, :secret_version
15
+
16
+ def initialize(given_key, client: nil)
17
+ @client = client
18
+ @project = extract_project given_key
19
+ @secret_version = extract_secret_version given_key
20
+ @secret_name = extract_secret_name given_key
21
+ end
22
+
23
+ def perform!
24
+ # Build the resource name of the secret version.
25
+ name = client.secret_version_path project: @project,
26
+ secret: @secret_name,
27
+ secret_version: @secret_version
28
+
29
+ version = client.access_secret_version name: name
30
+
31
+ YAML.load version.payload.data
32
+ end
33
+
34
+ protected
35
+
36
+ def default_project
37
+ ENV['GOOGLE_CLOUD_PROJECT']
38
+ end
39
+
40
+ def extract_project(given_key)
41
+ match = given_key.match(PROJECT_PATTERN)
42
+ return default_project unless match
43
+
44
+ match.captures.first
45
+ end
46
+
47
+ def extract_secret_version(given_key)
48
+ match = given_key.match(SECRET_VERSION_PATTERN)
49
+ return 'latest' unless match
50
+
51
+ match.captures.first
52
+ end
53
+
54
+ def extract_secret_name(given_key)
55
+ given_key
56
+ .sub("projects/#{@project}/secrets/", '')
57
+ .sub("/versions/#{@secret_version}", '')
58
+ end
59
+ end
60
+ end
61
+ end
62
+ end
@@ -0,0 +1,19 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "on_container/common/safe_performable"
4
+
5
+ module OnContainer
6
+ module Secrets
7
+ module GoogleCloud
8
+ class ServiceBase
9
+ include OnContainer::Common::SafePerformable
10
+
11
+ attr_reader :client
12
+
13
+ def client
14
+ @client ||= Google::Cloud::SecretManager.secret_manager_service
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module OnContainer
4
- VERSION = '0.0.9'
4
+ VERSION = '0.0.10'
5
5
  end
@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
16
16
 
17
17
  spec.metadata['homepage_uri'] = spec.homepage
18
18
  spec.metadata['source_code_uri'] = spec.homepage
19
- spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/master/CHANGELOG.md"
19
+ spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/main/CHANGELOG.md"
20
20
 
21
21
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
22
22
  spec.files = `git ls-files -- lib/* *.md *.gemspec *.txt Rakefile`.split("\n")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: on_container
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.9
4
+ version: 0.0.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - Roberto Quintanilla
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-12-28 00:00:00.000000000 Z
11
+ date: 2021-01-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -38,6 +38,8 @@ files:
38
38
  - README.md
39
39
  - Rakefile
40
40
  - lib/on_container.rb
41
+ - lib/on_container/common/performable.rb
42
+ - lib/on_container/common/safe_performable.rb
41
43
  - lib/on_container/dev/active_record_ops.rb
42
44
  - lib/on_container/dev/bundler_ops.rb
43
45
  - lib/on_container/dev/container_command_ops.rb
@@ -47,6 +49,9 @@ files:
47
49
  - lib/on_container/dev/setup_ops.rb
48
50
  - lib/on_container/load_env_secrets.rb
49
51
  - lib/on_container/ops/service_connection_checks.rb
52
+ - lib/on_container/secrets/google_cloud/env_loader.rb
53
+ - lib/on_container/secrets/google_cloud/fetcher.rb
54
+ - lib/on_container/secrets/google_cloud/service_base.rb
50
55
  - lib/on_container/version.rb
51
56
  - on_container.gemspec
52
57
  homepage: https://github.com/IcaliaLabs/on-container-for-ruby
@@ -56,7 +61,7 @@ metadata:
56
61
  allowed_push_host: https://rubygems.org
57
62
  homepage_uri: https://github.com/IcaliaLabs/on-container-for-ruby
58
63
  source_code_uri: https://github.com/IcaliaLabs/on-container-for-ruby
59
- changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/master/CHANGELOG.md
64
+ changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/main/CHANGELOG.md
60
65
  post_install_message:
61
66
  rdoc_options: []
62
67
  require_paths: