on_container 0.0.9 → 0.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b3faf030bfb28175d373fcaf06d219b8e89eae377a881e0655b0ea71a4248d9
-  data.tar.gz: 4b0a1a13bfea4e50a199b92caf15cf8c53361e03f4312057a0c10f7e33fa8e8a
+  metadata.gz: e6c46418633fff79b878ba857ac1b36975ec48cf8b267e97a040ea539c303465
+  data.tar.gz: 624f71fb481da53a8d7631baaf20b9900c5e9e8a4535ef28bb79bb5b20640bc0
 SHA512:
-  metadata.gz: ff47344c4ca8270ffc7b3aebc028aecc7bc1858bcb50016301c65c21e2ec94dfe0b4a334d18e7c4fa5722f319fd14c72808246094d707dcae15c3f5e8625d9e9
-  data.tar.gz: 166f0b25ea8db2af892eeeabffe15d96419d57688f9f6531d5f6fb88f7b7a9b6551a00e5049264cf6245eff9566bfa270404cd1af58fec6315593cc8b5a8fcb2
+  metadata.gz: 4da835630be42d7f2342675fea85adf95407db9d247d8de7c0f229a24d48545af30d4994f9efccc31edea2b5799fd03fb1a5ac420b8d1680714679f5751e5d89
+  data.tar.gz: d9d63e78760abd70219f254e5ae7ba7465862037c8fe6792c1807efbb5c300bb513738074bea9bec92c32e4948fef791ef7131856ffaac09781724e76e325f7b

data/README.md

@@ -52,7 +52,7 @@ end if command_requires_setup?
 execute_given_or_default_command
 ```
 
-### Loading secrets into environment variables, and inserting credentials into URL environment variables
+### Loading secrets into environment variables
 
 When using Docker Swarm, the secrets are loaded as files mounted into the container's filesystem.
 
@@ -65,11 +65,58 @@ For our Rails example app, we added the following line to the `config/boot.rb` f
 
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 
-require 'on_container/load_env_secrets' # Load secrets injected by Kubernetes/Swarm
-
 require 'bundler/setup' # Set up gems listed in the Gemfile.
 require 'bootsnap/setup' # Speed up boot time by caching expensive operations.
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+#### Loading Google Cloud Secret Manager secrets into ENV
+
+If you require loading YAML data stored at [Google Cloud Secret Manager](https://cloud.google.com/secret-manager),
+you will require the following steps:
+
+1. Install the `google-cloud-secret_manager` gem
+
+On your gemfile:
+
+```ruby
+# Read secrets from Google Cloud Secret Manager
+gem 'google-cloud-secret_manager', '~> 1.0'
+```
+
+2. Require it at `config/boot.rb`
+
+On `config/boot`, right before requiring `on_container/load_env_secrets`:
+
+```ruby
+# Require Google Cloud Secret Manager to enable 'on_container/load_env_secrets'
+# loading secrets from GCP to ENV:
+require 'google/cloud/secret_manager'
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+3. Make sure your app has google cloud credentials configured, and have access
+to the secrets your'e planning to use.
+
+4. Configure any number of environment variables ending with
+`_GOOGLE_CLOUD_SECRET`, each containing the secret you want to load. In the
+following example, the command to deploy an image into Google Cloud Run:
+
+```bash
+gcloud run deploy my-demo-app \
+  --platform "managed" \
+  --region us-central1 \
+  --allow-unauthenticated \
+  --set-env-vars A_GOOGLE_CLOUD_SECRET=my-super-secret \
+  --set-env-vars ANOTHER_GOOGLE_CLOUD_SECRET=project/another-project/secrets/another-secret/versions/1 \
+  --service-account=my-demo-service-account@google-cloud \
+  --image gcr.io/my-demo-project/my-demo-app:latest
 ```
+#### Inserting credentials into URL environment variables
 
 The `on_container/load_env_secrets` also merges any credential available in environment variables into any matching
 `_URL` environment variable. For example, consider the following environment variables:
@@ -96,7 +143,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
 
 
 ## License
@@ -105,4 +152,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).

data/lib/on_container/common/performable.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module OnContainer
+  module Common
+    module Performable
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        def perform!(*args, **kargs)
+          new(*args, **kargs).perform!
+        end
+      end
+    end
+  end
+end

data/lib/on_container/common/safe_performable.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'on_container/common/performable'
+
+module OnContainer
+  module Common
+    module SafePerformable
+      def self.included(base)
+        base.include OnContainer::Common::Performable
+        base.extend ClassMethods
+      end
+      
+      def perform(*args, **kargs)
+        perform!(*args, **kargs)
+      rescue
+        false
+      end
+
+      module ClassMethods
+        def perform(*args, **kargs)
+          new(*args, **kargs).perform
+        end
+      end
+    end
+  end
+end

data/lib/on_container/load_env_secrets.rb

@@ -6,6 +6,10 @@
 require 'active_support'
 require 'active_support/core_ext/object'
 
+# Load secrets from Google Cloud Secret Manager to ENV, if any:
+require 'on_container/secrets/google_cloud/env_loader'
+OnContainer::Secrets::GoogleCloud::EnvLoader.perform!
+
 # Process only a known list of env vars that can filled by reading a file (i.e.
 # a docker secret):
 Dir["#{ENV.fetch('SECRETS_PATH', '/run/secrets/')}*"].each do |secret_filepath|

data/lib/on_container/secrets/google_cloud/env_loader.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "on_container/secrets/google_cloud/fetcher"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class EnvLoader < ServiceBase
+        ENV_KEY_SUFIX = '_GOOGLE_CLOUD_SECRET'
+    
+        def env_keys
+          @env_keys ||= ENV.keys.select do |key|
+            key.end_with?(ENV_KEY_SUFIX)
+          end.sort
+        end
+    
+        def env_keys?
+          env_keys.any?
+        end
+    
+        def secret_manager?
+          defined?(Google::Cloud::SecretManager) == 'constant'
+        end
+    
+        def perform!
+          return unless env_keys? && secret_manager?
+    
+          env_keys.each do |key|
+            ENV.merge! Fetcher.perform! ENV[key], client: client
+          end
+    
+          true
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/fetcher.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'on_container/secrets/google_cloud/service_base'
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class Fetcher < ServiceBase
+        PROJECT_PATTERN = %r{\Aprojects\/(\w+)\/.*}.freeze
+        SECRET_NAME_PATTERN = %r{secrets\/([\w-]+)\/?}.freeze
+        SECRET_VERSION_PATTERN = %r{versions\/(\d+|latest)\z}.freeze
+        
+        attr_reader :project, :secret_name, :secret_version
+    
+        def initialize(given_key, client: nil)
+          @client = client
+          @project = extract_project given_key
+          @secret_version = extract_secret_version given_key
+          @secret_name = extract_secret_name given_key
+        end
+    
+        def perform!
+          # Build the resource name of the secret version.
+          name = client.secret_version_path project:        @project,
+                                            secret:         @secret_name,
+                                            secret_version: @secret_version
+      
+          version = client.access_secret_version name: name
+      
+          YAML.load version.payload.data
+        end
+    
+        protected
+    
+        def default_project
+          ENV['GOOGLE_CLOUD_PROJECT']
+        end
+    
+        def extract_project(given_key)
+          match = given_key.match(PROJECT_PATTERN)
+          return default_project unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_version(given_key)
+          match = given_key.match(SECRET_VERSION_PATTERN)
+          return 'latest' unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_name(given_key)
+          given_key
+            .sub("projects/#{@project}/secrets/", '')
+            .sub("/versions/#{@secret_version}", '')
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/service_base.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "on_container/common/safe_performable"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class ServiceBase
+        include OnContainer::Common::SafePerformable
+        
+        attr_reader :client
+    
+        def client
+          @client ||= Google::Cloud::SecretManager.secret_manager_service
+        end
+      end
+    end
+  end
+end

data/lib/on_container/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OnContainer
-  VERSION = '0.0.9'
+  VERSION = '0.0.10'
 end

data/on_container.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
 
   spec.metadata['homepage_uri']    = spec.homepage
   spec.metadata['source_code_uri'] = spec.homepage
-  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/master/CHANGELOG.md"
+  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/main/CHANGELOG.md"
 
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.files         = `git ls-files -- lib/* *.md *.gemspec *.txt Rakefile`.split("\n")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: on_container
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.0.10
 platform: ruby
 authors:
 - Roberto Quintanilla
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-12-28 00:00:00.000000000 Z
+date: 2021-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -38,6 +38,8 @@ files:
 - README.md
 - Rakefile
 - lib/on_container.rb
+- lib/on_container/common/performable.rb
+- lib/on_container/common/safe_performable.rb
 - lib/on_container/dev/active_record_ops.rb
 - lib/on_container/dev/bundler_ops.rb
 - lib/on_container/dev/container_command_ops.rb
@@ -47,6 +49,9 @@ files:
 - lib/on_container/dev/setup_ops.rb
 - lib/on_container/load_env_secrets.rb
 - lib/on_container/ops/service_connection_checks.rb
+- lib/on_container/secrets/google_cloud/env_loader.rb
+- lib/on_container/secrets/google_cloud/fetcher.rb
+- lib/on_container/secrets/google_cloud/service_base.rb
 - lib/on_container/version.rb
 - on_container.gemspec
 homepage: https://github.com/IcaliaLabs/on-container-for-ruby
@@ -56,7 +61,7 @@ metadata:
   allowed_push_host: https://rubygems.org
   homepage_uri: https://github.com/IcaliaLabs/on-container-for-ruby
   source_code_uri: https://github.com/IcaliaLabs/on-container-for-ruby
-  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/master/CHANGELOG.md
+  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths: