on_container 0.0.9 → 0.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +52 -5
- data/lib/on_container/common/performable.rb +17 -0
- data/lib/on_container/common/safe_performable.rb +26 -0
- data/lib/on_container/load_env_secrets.rb +4 -0
- data/lib/on_container/secrets/google_cloud/env_loader.rb +37 -0
- data/lib/on_container/secrets/google_cloud/fetcher.rb +62 -0
- data/lib/on_container/secrets/google_cloud/service_base.rb +19 -0
- data/lib/on_container/version.rb +1 -1
- data/on_container.gemspec +1 -1
- metadata +8 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e6c46418633fff79b878ba857ac1b36975ec48cf8b267e97a040ea539c303465
|
4
|
+
data.tar.gz: 624f71fb481da53a8d7631baaf20b9900c5e9e8a4535ef28bb79bb5b20640bc0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4da835630be42d7f2342675fea85adf95407db9d247d8de7c0f229a24d48545af30d4994f9efccc31edea2b5799fd03fb1a5ac420b8d1680714679f5751e5d89
|
7
|
+
data.tar.gz: d9d63e78760abd70219f254e5ae7ba7465862037c8fe6792c1807efbb5c300bb513738074bea9bec92c32e4948fef791ef7131856ffaac09781724e76e325f7b
|
data/README.md
CHANGED
@@ -52,7 +52,7 @@ end if command_requires_setup?
|
|
52
52
|
execute_given_or_default_command
|
53
53
|
```
|
54
54
|
|
55
|
-
### Loading secrets into environment variables
|
55
|
+
### Loading secrets into environment variables
|
56
56
|
|
57
57
|
When using Docker Swarm, the secrets are loaded as files mounted into the container's filesystem.
|
58
58
|
|
@@ -65,11 +65,58 @@ For our Rails example app, we added the following line to the `config/boot.rb` f
|
|
65
65
|
|
66
66
|
ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
|
67
67
|
|
68
|
-
require 'on_container/load_env_secrets' # Load secrets injected by Kubernetes/Swarm
|
69
|
-
|
70
68
|
require 'bundler/setup' # Set up gems listed in the Gemfile.
|
71
69
|
require 'bootsnap/setup' # Speed up boot time by caching expensive operations.
|
70
|
+
|
71
|
+
# Load swarm/gcp secrets to ENV:
|
72
|
+
require 'on_container/load_env_secrets'
|
73
|
+
```
|
74
|
+
|
75
|
+
#### Loading Google Cloud Secret Manager secrets into ENV
|
76
|
+
|
77
|
+
If you require loading YAML data stored at [Google Cloud Secret Manager](https://cloud.google.com/secret-manager),
|
78
|
+
you will require the following steps:
|
79
|
+
|
80
|
+
1. Install the `google-cloud-secret_manager` gem
|
81
|
+
|
82
|
+
On your gemfile:
|
83
|
+
|
84
|
+
```ruby
|
85
|
+
# Read secrets from Google Cloud Secret Manager
|
86
|
+
gem 'google-cloud-secret_manager', '~> 1.0'
|
87
|
+
```
|
88
|
+
|
89
|
+
2. Require it at `config/boot.rb`
|
90
|
+
|
91
|
+
On `config/boot`, right before requiring `on_container/load_env_secrets`:
|
92
|
+
|
93
|
+
```ruby
|
94
|
+
# Require Google Cloud Secret Manager to enable 'on_container/load_env_secrets'
|
95
|
+
# loading secrets from GCP to ENV:
|
96
|
+
require 'google/cloud/secret_manager'
|
97
|
+
|
98
|
+
# Load swarm/gcp secrets to ENV:
|
99
|
+
require 'on_container/load_env_secrets'
|
100
|
+
```
|
101
|
+
|
102
|
+
3. Make sure your app has google cloud credentials configured, and have access
|
103
|
+
to the secrets your'e planning to use.
|
104
|
+
|
105
|
+
4. Configure any number of environment variables ending with
|
106
|
+
`_GOOGLE_CLOUD_SECRET`, each containing the secret you want to load. In the
|
107
|
+
following example, the command to deploy an image into Google Cloud Run:
|
108
|
+
|
109
|
+
```bash
|
110
|
+
gcloud run deploy my-demo-app \
|
111
|
+
--platform "managed" \
|
112
|
+
--region us-central1 \
|
113
|
+
--allow-unauthenticated \
|
114
|
+
--set-env-vars A_GOOGLE_CLOUD_SECRET=my-super-secret \
|
115
|
+
--set-env-vars ANOTHER_GOOGLE_CLOUD_SECRET=project/another-project/secrets/another-secret/versions/1 \
|
116
|
+
--service-account=my-demo-service-account@google-cloud \
|
117
|
+
--image gcr.io/my-demo-project/my-demo-app:latest
|
72
118
|
```
|
119
|
+
#### Inserting credentials into URL environment variables
|
73
120
|
|
74
121
|
The `on_container/load_env_secrets` also merges any credential available in environment variables into any matching
|
75
122
|
`_URL` environment variable. For example, consider the following environment variables:
|
@@ -96,7 +143,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
96
143
|
|
97
144
|
## Contributing
|
98
145
|
|
99
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/
|
146
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
|
100
147
|
|
101
148
|
|
102
149
|
## License
|
@@ -105,4 +152,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
105
152
|
|
106
153
|
## Code of Conduct
|
107
154
|
|
108
|
-
Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/
|
155
|
+
Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module OnContainer
|
4
|
+
module Common
|
5
|
+
module Performable
|
6
|
+
def self.included(base)
|
7
|
+
base.extend ClassMethods
|
8
|
+
end
|
9
|
+
|
10
|
+
module ClassMethods
|
11
|
+
def perform!(*args, **kargs)
|
12
|
+
new(*args, **kargs).perform!
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'on_container/common/performable'
|
4
|
+
|
5
|
+
module OnContainer
|
6
|
+
module Common
|
7
|
+
module SafePerformable
|
8
|
+
def self.included(base)
|
9
|
+
base.include OnContainer::Common::Performable
|
10
|
+
base.extend ClassMethods
|
11
|
+
end
|
12
|
+
|
13
|
+
def perform(*args, **kargs)
|
14
|
+
perform!(*args, **kargs)
|
15
|
+
rescue
|
16
|
+
false
|
17
|
+
end
|
18
|
+
|
19
|
+
module ClassMethods
|
20
|
+
def perform(*args, **kargs)
|
21
|
+
new(*args, **kargs).perform
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -6,6 +6,10 @@
|
|
6
6
|
require 'active_support'
|
7
7
|
require 'active_support/core_ext/object'
|
8
8
|
|
9
|
+
# Load secrets from Google Cloud Secret Manager to ENV, if any:
|
10
|
+
require 'on_container/secrets/google_cloud/env_loader'
|
11
|
+
OnContainer::Secrets::GoogleCloud::EnvLoader.perform!
|
12
|
+
|
9
13
|
# Process only a known list of env vars that can filled by reading a file (i.e.
|
10
14
|
# a docker secret):
|
11
15
|
Dir["#{ENV.fetch('SECRETS_PATH', '/run/secrets/')}*"].each do |secret_filepath|
|
@@ -0,0 +1,37 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "on_container/secrets/google_cloud/fetcher"
|
4
|
+
|
5
|
+
module OnContainer
|
6
|
+
module Secrets
|
7
|
+
module GoogleCloud
|
8
|
+
class EnvLoader < ServiceBase
|
9
|
+
ENV_KEY_SUFIX = '_GOOGLE_CLOUD_SECRET'
|
10
|
+
|
11
|
+
def env_keys
|
12
|
+
@env_keys ||= ENV.keys.select do |key|
|
13
|
+
key.end_with?(ENV_KEY_SUFIX)
|
14
|
+
end.sort
|
15
|
+
end
|
16
|
+
|
17
|
+
def env_keys?
|
18
|
+
env_keys.any?
|
19
|
+
end
|
20
|
+
|
21
|
+
def secret_manager?
|
22
|
+
defined?(Google::Cloud::SecretManager) == 'constant'
|
23
|
+
end
|
24
|
+
|
25
|
+
def perform!
|
26
|
+
return unless env_keys? && secret_manager?
|
27
|
+
|
28
|
+
env_keys.each do |key|
|
29
|
+
ENV.merge! Fetcher.perform! ENV[key], client: client
|
30
|
+
end
|
31
|
+
|
32
|
+
true
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,62 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'yaml'
|
4
|
+
require 'on_container/secrets/google_cloud/service_base'
|
5
|
+
|
6
|
+
module OnContainer
|
7
|
+
module Secrets
|
8
|
+
module GoogleCloud
|
9
|
+
class Fetcher < ServiceBase
|
10
|
+
PROJECT_PATTERN = %r{\Aprojects\/(\w+)\/.*}.freeze
|
11
|
+
SECRET_NAME_PATTERN = %r{secrets\/([\w-]+)\/?}.freeze
|
12
|
+
SECRET_VERSION_PATTERN = %r{versions\/(\d+|latest)\z}.freeze
|
13
|
+
|
14
|
+
attr_reader :project, :secret_name, :secret_version
|
15
|
+
|
16
|
+
def initialize(given_key, client: nil)
|
17
|
+
@client = client
|
18
|
+
@project = extract_project given_key
|
19
|
+
@secret_version = extract_secret_version given_key
|
20
|
+
@secret_name = extract_secret_name given_key
|
21
|
+
end
|
22
|
+
|
23
|
+
def perform!
|
24
|
+
# Build the resource name of the secret version.
|
25
|
+
name = client.secret_version_path project: @project,
|
26
|
+
secret: @secret_name,
|
27
|
+
secret_version: @secret_version
|
28
|
+
|
29
|
+
version = client.access_secret_version name: name
|
30
|
+
|
31
|
+
YAML.load version.payload.data
|
32
|
+
end
|
33
|
+
|
34
|
+
protected
|
35
|
+
|
36
|
+
def default_project
|
37
|
+
ENV['GOOGLE_CLOUD_PROJECT']
|
38
|
+
end
|
39
|
+
|
40
|
+
def extract_project(given_key)
|
41
|
+
match = given_key.match(PROJECT_PATTERN)
|
42
|
+
return default_project unless match
|
43
|
+
|
44
|
+
match.captures.first
|
45
|
+
end
|
46
|
+
|
47
|
+
def extract_secret_version(given_key)
|
48
|
+
match = given_key.match(SECRET_VERSION_PATTERN)
|
49
|
+
return 'latest' unless match
|
50
|
+
|
51
|
+
match.captures.first
|
52
|
+
end
|
53
|
+
|
54
|
+
def extract_secret_name(given_key)
|
55
|
+
given_key
|
56
|
+
.sub("projects/#{@project}/secrets/", '')
|
57
|
+
.sub("/versions/#{@secret_version}", '')
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "on_container/common/safe_performable"
|
4
|
+
|
5
|
+
module OnContainer
|
6
|
+
module Secrets
|
7
|
+
module GoogleCloud
|
8
|
+
class ServiceBase
|
9
|
+
include OnContainer::Common::SafePerformable
|
10
|
+
|
11
|
+
attr_reader :client
|
12
|
+
|
13
|
+
def client
|
14
|
+
@client ||= Google::Cloud::SecretManager.secret_manager_service
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
data/lib/on_container/version.rb
CHANGED
data/on_container.gemspec
CHANGED
@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
|
|
16
16
|
|
17
17
|
spec.metadata['homepage_uri'] = spec.homepage
|
18
18
|
spec.metadata['source_code_uri'] = spec.homepage
|
19
|
-
spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/
|
19
|
+
spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/main/CHANGELOG.md"
|
20
20
|
|
21
21
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
22
22
|
spec.files = `git ls-files -- lib/* *.md *.gemspec *.txt Rakefile`.split("\n")
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: on_container
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Roberto Quintanilla
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-01-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -38,6 +38,8 @@ files:
|
|
38
38
|
- README.md
|
39
39
|
- Rakefile
|
40
40
|
- lib/on_container.rb
|
41
|
+
- lib/on_container/common/performable.rb
|
42
|
+
- lib/on_container/common/safe_performable.rb
|
41
43
|
- lib/on_container/dev/active_record_ops.rb
|
42
44
|
- lib/on_container/dev/bundler_ops.rb
|
43
45
|
- lib/on_container/dev/container_command_ops.rb
|
@@ -47,6 +49,9 @@ files:
|
|
47
49
|
- lib/on_container/dev/setup_ops.rb
|
48
50
|
- lib/on_container/load_env_secrets.rb
|
49
51
|
- lib/on_container/ops/service_connection_checks.rb
|
52
|
+
- lib/on_container/secrets/google_cloud/env_loader.rb
|
53
|
+
- lib/on_container/secrets/google_cloud/fetcher.rb
|
54
|
+
- lib/on_container/secrets/google_cloud/service_base.rb
|
50
55
|
- lib/on_container/version.rb
|
51
56
|
- on_container.gemspec
|
52
57
|
homepage: https://github.com/IcaliaLabs/on-container-for-ruby
|
@@ -56,7 +61,7 @@ metadata:
|
|
56
61
|
allowed_push_host: https://rubygems.org
|
57
62
|
homepage_uri: https://github.com/IcaliaLabs/on-container-for-ruby
|
58
63
|
source_code_uri: https://github.com/IcaliaLabs/on-container-for-ruby
|
59
|
-
changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/
|
64
|
+
changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/main/CHANGELOG.md
|
60
65
|
post_install_message:
|
61
66
|
rdoc_options: []
|
62
67
|
require_paths:
|