on_container 0.0.9 → 0.0.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b3faf030bfb28175d373fcaf06d219b8e89eae377a881e0655b0ea71a4248d9
-  data.tar.gz: 4b0a1a13bfea4e50a199b92caf15cf8c53361e03f4312057a0c10f7e33fa8e8a
+  metadata.gz: 9375ce2312b71fcf2711319eb18e58c1e08bfef053edd28bc05e22c9dfeba543
+  data.tar.gz: '078fa6d17b8586ebdccdfd033983969a6818df32aedfb22d8a0c4d40dd6e274f'
 SHA512:
-  metadata.gz: ff47344c4ca8270ffc7b3aebc028aecc7bc1858bcb50016301c65c21e2ec94dfe0b4a334d18e7c4fa5722f319fd14c72808246094d707dcae15c3f5e8625d9e9
-  data.tar.gz: 166f0b25ea8db2af892eeeabffe15d96419d57688f9f6531d5f6fb88f7b7a9b6551a00e5049264cf6245eff9566bfa270404cd1af58fec6315593cc8b5a8fcb2
+  metadata.gz: 6d76eb51ac0bfbfd78518c711cd627ee9c24b69b44995f4e2728268d12d414422bdbde4881bd95b0962b640d4a1d635cd141632cfa0d2130be3f5b47de57eb88
+  data.tar.gz: f7b57e656c49b8435e4434156fee713cbc2af2fdc508371aa290276dd8e1511f50eefe077727a0648092e9f03e5e1fb63fbc2f1abb030bc7192e017d7c948ad9

data/README.md

@@ -52,7 +52,7 @@ end if command_requires_setup?
 execute_given_or_default_command
 ```
 
-### Loading secrets into environment variables, and inserting credentials into URL environment variables
+### Loading secrets into environment variables
 
 When using Docker Swarm, the secrets are loaded as files mounted into the container's filesystem.
 
@@ -65,11 +65,58 @@ For our Rails example app, we added the following line to the `config/boot.rb` f
 
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 
-require 'on_container/load_env_secrets' # Load secrets injected by Kubernetes/Swarm
-
 require 'bundler/setup' # Set up gems listed in the Gemfile.
 require 'bootsnap/setup' # Speed up boot time by caching expensive operations.
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+#### Loading Google Cloud Secret Manager secrets into ENV
+
+If you require loading YAML data stored at [Google Cloud Secret Manager](https://cloud.google.com/secret-manager),
+you will require the following steps:
+
+1. Install the `google-cloud-secret_manager` gem
+
+On your gemfile:
+
+```ruby
+# Read secrets from Google Cloud Secret Manager
+gem 'google-cloud-secret_manager', '~> 1.0'
+```
+
+2. Require it at `config/boot.rb`
+
+On `config/boot`, right before requiring `on_container/load_env_secrets`:
+
+```ruby
+# Require Google Cloud Secret Manager to enable 'on_container/load_env_secrets'
+# loading secrets from GCP to ENV:
+require 'google/cloud/secret_manager'
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+3. Make sure your app has google cloud credentials configured, and have access
+to the secrets your'e planning to use.
+
+4. Configure any number of environment variables ending with
+`_GOOGLE_CLOUD_SECRET`, each containing the secret you want to load. In the
+following example, the command to deploy an image into Google Cloud Run:
+
+```bash
+gcloud run deploy my-demo-app \
+  --platform "managed" \
+  --region us-central1 \
+  --allow-unauthenticated \
+  --set-env-vars A_GOOGLE_CLOUD_SECRET=my-super-secret \
+  --set-env-vars ANOTHER_GOOGLE_CLOUD_SECRET=project/another-project/secrets/another-secret/versions/1 \
+  --service-account=my-demo-service-account@google-cloud \
+  --image gcr.io/my-demo-project/my-demo-app:latest
 ```
+#### Inserting credentials into URL environment variables
 
 The `on_container/load_env_secrets` also merges any credential available in environment variables into any matching
 `_URL` environment variable. For example, consider the following environment variables:
@@ -96,7 +143,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
 
 
 ## License
@@ -105,4 +152,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).

data/lib/on_container/common/performable.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module OnContainer
+  module Common
+    module Performable
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        def perform!(*args, **kargs)
+          new(*args, **kargs).perform!
+        end
+      end
+    end
+  end
+end

data/lib/on_container/common/safe_performable.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'on_container/common/performable'
+
+module OnContainer
+  module Common
+    module SafePerformable
+      def self.included(base)
+        base.include OnContainer::Common::Performable
+        base.extend ClassMethods
+      end
+      
+      def perform(*args, **kargs)
+        perform!(*args, **kargs)
+      rescue
+        false
+      end
+
+      module ClassMethods
+        def perform(*args, **kargs)
+          new(*args, **kargs).perform
+        end
+      end
+    end
+  end
+end

data/lib/on_container/dev/rails_ops.rb

@@ -6,10 +6,14 @@ module OnContainer
       def remove_rails_pidfile
         system "rm -rf #{File.expand_path('tmp/pids/server.pid')}"
       end
+
+      def rails?
+        ARGV[0] == 'rails'
+      end
       
       def rails_server?
-        ARGV[0] == 'rails' && %w[server s].include?(ARGV[1])
+        rails? && %w[server s].include?(ARGV[1])
       end
     end
   end
-end
+end

data/lib/on_container/dev/setup_ops.rb

@@ -42,6 +42,12 @@ module OnContainer
           rails rspec sidekiq hutch puma rake webpack webpack-dev-server
         ].include?(ARGV[0])
       end
+      
+      def command_might_require_database?
+        %w[
+          rails rspec sidekiq hutch puma rake
+        ].include?(ARGV[0])
+      end
     end
   end
-end
+end

data/lib/on_container/load_env_secrets.rb

@@ -1,54 +1,12 @@
 # frozen_string_literal: true
 
-# Reads the specified secret paths (i.e. Docker Secrets) into environment
-# variables:
-
-require 'active_support'
-require 'active_support/core_ext/object'
-
-# Process only a known list of env vars that can filled by reading a file (i.e.
-# a docker secret):
-Dir["#{ENV.fetch('SECRETS_PATH', '/run/secrets/')}*"].each do |secret_filepath|
-  next unless File.file?(secret_filepath)
-
-  secret_envvarname = File.basename(secret_filepath, '.*').upcase
-
-  # Skip if variable is already set - already-set variables have precedence over
-  # the secret files:
-  next if ENV.key?(secret_envvarname) && ENV[secret_envvarname].present?
-
-  ENV[secret_envvarname] = File.read(secret_filepath).strip
-end
-
-# For each *_URL environment variable where there's also a *_(USER|USERNAME) or
-# *_(PASS|PASSWORD), update the URL environment variable with the given
-# credentials. For example:
+# This script achieves a list of secret loading & processing:
 #
-# DATABASE_URL: postgres://postgres:5432/demo_production
-# DATABASE_USERNAME: lalito
-# DATABASE_PASSWORD: lepass
+# 1. Loads secrets from Google Cloud Secret Manager to ENV, if configured.
+# 2. Reads files in a configured Folder, and loads them into ENV variables.
+# 3. Processes "*_URL" env vars, adding their respective "*_USER" and "*_PASS".
 #
-# Results in the following updated DATABASE_URL:
-#  DATABASE_URL = postgres://lalito:lepass@postgres:5432/demo_production
-require 'uri' if (url_keys = ENV.keys.select { |key| key =~ /_URL/ }).any?
-
-url_keys.each do |url_key|
-  credential_pattern_string = url_key.gsub('_URL', '_(USER(NAME)?|PASS(WORD)?)')
-  credential_pattern = Regexp.new "\\A#{credential_pattern_string}\\z"
-  credential_keys = ENV.keys.select { |key| key =~ credential_pattern }
-  next unless credential_keys.any?
-
-  uri = URI(ENV[url_key])
-
-  credential_keys.each do |credential_key|
-    credential_value = URI.encode_www_form_component ENV[credential_key]
-    case credential_key
-    when /USER/ then uri.user = credential_value
-    when /PASS/ then uri.password = credential_value
-    end
-  end
-
-  ENV[url_key] = uri.to_s
-end
+# - See https://github.com/IcaliaLabs/on-container-for-ruby#loading-secrets-into-environment-variables
 
-# STDERR.puts ENV.inspect
+require 'on_container/secrets/env_loader'
+OnContainer::Secrets::EnvLoader.perform!

data/lib/on_container/secrets/env_loader.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'on_container/common/safe_performable'
+require 'on_container/secrets/google_cloud/env_loader'
+require 'on_container/secrets/mounted_files/env_loader'
+require 'on_container/secrets/url_variable_processor'
+
+module OnContainer
+  module Secrets
+    #= EnvLoader
+    #
+    # Reads the specified secret paths (i.e. Docker Secrets) into environment
+    # variables:
+    class EnvLoader
+      include OnContainer::Common::SafePerformable
+
+      def perform!
+        load_secrets_from_google_cloud if google_cloud_secrets?
+        load_secrets_from_mounted_files
+        process_url_variables
+        true
+      end
+
+      private
+
+      def google_cloud_secrets?
+        OnContainer::Secrets::GoogleCloud::EnvLoader.secret_manager?
+      end
+
+      def load_secrets_from_google_cloud
+        OnContainer::Secrets::GoogleCloud::EnvLoader.perform!
+      end
+
+      def load_secrets_from_mounted_files
+        OnContainer::Secrets::MountedFiles::EnvLoader.perform!
+      end
+
+      def process_url_variables
+        OnContainer::Secrets::UrlVariableProcessor.perform!
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/env_loader.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "on_container/secrets/google_cloud/fetcher"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class EnvLoader < ServiceBase
+        ENV_KEY_SUFIX = '_GOOGLE_CLOUD_SECRET'
+    
+        def env_keys
+          @env_keys ||= ENV.keys.select do |key|
+            key.end_with?(ENV_KEY_SUFIX)
+          end.sort
+        end
+    
+        def env_keys?
+          env_keys.any?
+        end
+
+        def self.secret_manager?
+          defined?(Google::Cloud::SecretManager) == 'constant'
+        end
+    
+        def secret_manager?
+          self.class.secret_manager?
+        end
+    
+        def perform!
+          return unless env_keys? && secret_manager?
+    
+          env_keys.each do |key|
+            ENV.merge! Fetcher.perform! ENV[key], client: client
+          end
+    
+          true
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/fetcher.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'on_container/secrets/google_cloud/service_base'
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class Fetcher < ServiceBase
+        PROJECT_PATTERN = %r{\Aprojects\/(\w+)\/.*}.freeze
+        SECRET_NAME_PATTERN = %r{secrets\/([\w-]+)\/?}.freeze
+        SECRET_VERSION_PATTERN = %r{versions\/(\d+|latest)\z}.freeze
+        
+        attr_reader :project, :secret_name, :secret_version
+    
+        def initialize(given_key, client: nil)
+          @client = client
+          @project = extract_project given_key
+          @secret_version = extract_secret_version given_key
+          @secret_name = extract_secret_name given_key
+        end
+    
+        def perform!
+          # Build the resource name of the secret version.
+          name = client.secret_version_path project:        @project,
+                                            secret:         @secret_name,
+                                            secret_version: @secret_version
+      
+          version = client.access_secret_version name: name
+      
+          YAML.load version.payload.data
+        end
+    
+        protected
+    
+        def default_project
+          ENV['GOOGLE_CLOUD_PROJECT']
+        end
+    
+        def extract_project(given_key)
+          match = given_key.match(PROJECT_PATTERN)
+          return default_project unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_version(given_key)
+          match = given_key.match(SECRET_VERSION_PATTERN)
+          return 'latest' unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_name(given_key)
+          given_key
+            .sub("projects/#{@project}/secrets/", '')
+            .sub("/versions/#{@secret_version}", '')
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/service_base.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "on_container/common/safe_performable"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class ServiceBase
+        include OnContainer::Common::SafePerformable
+        
+        attr_reader :client
+    
+        def client
+          @client ||= Google::Cloud::SecretManager.secret_manager_service
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/mounted_files/env_loader.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'active_support'
+require 'active_support/core_ext/object'
+require 'on_container/common/safe_performable'
+
+module OnContainer
+  module Secrets
+    module MountedFiles
+      class EnvLoader
+        include OnContainer::Common::SafePerformable
+
+        def perform!
+          setup_secrets_path
+          scan_secrets_path_for_files
+          load_secret_files_to_env_vars
+        end
+
+        def secrets_path
+          @secrets_path ||= ENV.fetch('SECRETS_PATH', '/run/secrets')
+        end
+
+        def secret_mounted_file_paths
+          @secret_mounted_file_paths ||= Dir["#{secrets_path}/**/*"]
+            .map { |path| Pathname.new(path) }
+            .select(&:file?)
+        end
+
+        private
+
+        alias setup_secrets_path secrets_path
+        alias scan_secrets_path_for_files secret_mounted_file_paths
+
+        def load_secret_files_to_env_vars
+          return if @already_loaded
+
+          secret_mounted_file_paths
+            .each { |file_path| load_secret_file_to_env_var(file_path) }
+
+          @already_loaded = true
+        end
+
+        def load_secret_file_to_env_var(file_path)
+          env_var_name = file_path.basename('.*').to_s.upcase
+
+          # Skip if variable is already set - already-set variables have
+          # precedence over the secret files:
+          return if ENV.key?(env_var_name) && ENV[env_var_name].present?
+
+          contents = file_path.read.strip
+
+          # TODO: Do not load if content has null bytes
+          ENV[env_var_name] = file_path.read.strip
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/url_variable_processor.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'on_container/common/safe_performable'
+
+module OnContainer
+  module Secrets
+    #= UrlVariableProcessor
+    #
+    # For each *_URL environment variable where there's also a *_(USER|USERNAME)
+    # or *_(PASS|PASSWORD), updates the URL environment variable with the given
+    # credentials. For example:
+    #
+    # DATABASE_URL: postgres://postgres:5432/demo_production
+    # DATABASE_USERNAME: lalito
+    # DATABASE_PASSWORD: lepass
+    #
+    # Results in the following updated DATABASE_URL:
+    #  DATABASE_URL = postgres://lalito:lepass@postgres:5432/demo_production
+    class UrlVariableProcessor
+      include OnContainer::Common::SafePerformable
+
+      def perform!
+        require_uri_module if url_keys?
+        process_credential_keys
+      end
+
+      def url_keys
+        @url_keys ||= ENV.keys.select { |key| key =~ /_URL/ }
+      end
+
+      def url_keys?
+        url_keys.any?
+      end
+      
+      private
+
+      def process_credential_keys
+        url_keys.each { |url_key| process_credential_keys_for(url_key) }
+      end
+
+      def require_uri_module
+        require 'uri'
+      end
+
+      def credential_keys_for(url_key)
+        credential_pattern_string = url_key
+          .gsub('_URL', '_(USER(NAME)?|PASS(WORD)?)')
+
+        credential_pattern = Regexp.new "\\A#{credential_pattern_string}\\z"
+        ENV.keys.select { |key| key =~ credential_pattern }
+      end
+
+      def process_credential_keys_for(url_key)
+        return unless (credential_keys = credential_keys_for(url_key)).any?
+
+        uri = URI(ENV[url_key])
+
+        # Reverse sorting will place "*_USER" before "*_PASS":
+        credential_keys.sort.reverse.each do |credential_key|
+          credential_value = URI.encode_www_form_component ENV[credential_key]
+          case credential_key
+          when /USER/ then uri.user = credential_value
+          when /PASS/ then uri.password = credential_value
+          end
+        end
+
+        ENV[url_key] = uri.to_s
+      end
+    end
+  end
+end

data/lib/on_container/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OnContainer
-  VERSION = '0.0.9'
+  VERSION = '0.0.14'
 end

data/on_container.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
 
   spec.metadata['homepage_uri']    = spec.homepage
   spec.metadata['source_code_uri'] = spec.homepage
-  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/master/CHANGELOG.md"
+  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/main/CHANGELOG.md"
 
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.files         = `git ls-files -- lib/* *.md *.gemspec *.txt Rakefile`.split("\n")
@@ -24,5 +24,6 @@ Gem::Specification.new do |spec|
   spec.bindir        = 'exe'
   spec.require_paths = ['lib']
 
+  spec.add_runtime_dependency 'activesupport', '>= 4'
   spec.add_development_dependency 'bundler', '~> 2.1'
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: on_container
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.0.14
 platform: ruby
 authors:
 - Roberto Quintanilla
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-12-28 00:00:00.000000000 Z
+date: 2021-03-05 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -38,6 +52,8 @@ files:
 - README.md
 - Rakefile
 - lib/on_container.rb
+- lib/on_container/common/performable.rb
+- lib/on_container/common/safe_performable.rb
 - lib/on_container/dev/active_record_ops.rb
 - lib/on_container/dev/bundler_ops.rb
 - lib/on_container/dev/container_command_ops.rb
@@ -47,6 +63,12 @@ files:
 - lib/on_container/dev/setup_ops.rb
 - lib/on_container/load_env_secrets.rb
 - lib/on_container/ops/service_connection_checks.rb
+- lib/on_container/secrets/env_loader.rb
+- lib/on_container/secrets/google_cloud/env_loader.rb
+- lib/on_container/secrets/google_cloud/fetcher.rb
+- lib/on_container/secrets/google_cloud/service_base.rb
+- lib/on_container/secrets/mounted_files/env_loader.rb
+- lib/on_container/secrets/url_variable_processor.rb
 - lib/on_container/version.rb
 - on_container.gemspec
 homepage: https://github.com/IcaliaLabs/on-container-for-ruby
@@ -56,7 +78,7 @@ metadata:
   allowed_push_host: https://rubygems.org
   homepage_uri: https://github.com/IcaliaLabs/on-container-for-ruby
   source_code_uri: https://github.com/IcaliaLabs/on-container-for-ruby
-  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/master/CHANGELOG.md
+  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths: