Skip to content
This repository has been archived by the owner on Nov 20, 2024. It is now read-only.

Store workspace outputs as secrets #80

Merged
merged 4 commits into from
Nov 17, 2020
Merged

Store workspace outputs as secrets #80

merged 4 commits into from
Nov 17, 2020

Conversation

koikonom
Copy link
Contributor

@koikonom koikonom commented Nov 9, 2020

Currently the operator stores outputs as configmaps. This can be
undesirable for some environments since output values can be considered
sensitive. This change creates k8s secrets instead of ConfigMaps to
satisfy this use case.

@koikonom koikonom marked this pull request as draft November 9, 2020 14:55
@koikonom koikonom marked this pull request as ready for review November 10, 2020 10:06
@koikonom koikonom requested a review from a team November 10, 2020 10:06
@koikonom
Copy link
Contributor Author

How to test:

Create a secret called workspacesecrets that holds your AWS credentials:

❯ kubectl create -n awstest secret generic workspacesecrets \
 --from-literal=AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
 --from-literal=AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
 --from-literal=AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}

Apply the following (or a similar) workspace

---
apiVersion: app.terraform.io/v1alpha1
kind: Workspace
metadata:
  name: test123
spec:
  secretsMountPath: "/tmp/secrets"
  module:
    source: "git::https://github.com/koikonom/tfc-operator-test.git"
  outputs:
    - key: aws_ebs_volume_id
      moduleOutputName: aws_ebs_volume_id
  variables:
    - key: region
      sensitive: false
      environmentVariable: false
      valueFrom:
        configMapKeyRef:
          name: aws-configuration
          key: region
    - key: zone
      value: us-west-2a
      sensitive: false
      environmentVariable: false
    - key: size
      value: "1"
      sensitive: false
      environmentVariable: false
    - key: AWS_DEFAULT_REGION
      valueFrom:
        configMapKeyRef:
          name: aws-configuration
          key: region
      sensitive: false
      environmentVariable: true
    - key: AWS_ACCESS_KEY_ID
      sensitive: true
      environmentVariable: true
    - key: AWS_SECRET_ACCESS_KEY
      sensitive: true
      environmentVariable: true
    - key: AWS_SESSION_TOKEN
      sensitive: true
      environmentVariable: true
    - key: CONFIRM_DESTROY
      value: "1"
      sensitive: false
      environmentVariable: true

Wait for a few minutes while the operator works its magic, and run

❯ kubectl -n awstest describe workspace/test123
[.... lots of output ...]
Events:
  Type    Reason          Age   From       Message
  ----    ------          ----  ----       -------
  Normal  WorkspaceEvent  12m   workspace  Started new Terraform job with id run-NbDXabkBo8tt6csJ
  Normal  WorkspaceEvent  11m   workspace  Updated outputs for run run-NbDXabkBo8tt6csJ

Once you see the Updated outputs message in the events you can then verify the secrets are there:

❯ kubectl -n awstest get secrets/test123-outputs -o json  | jq -r .data.aws_ebs_volume_id | base64 -D
vol-027e309f2a67be949

@koikonom
Copy link
Contributor Author

Example output when upgrading:

Up until the previous version, once the workspace was done applying we could get the outputs from a config map:

❯ kubectl -n awstest describe configmaps/demo-outputs
Name:         demo-outputs
Namespace:    awstest
[.....]
Data
====
pet:
----
readily-actually-electric-wahoo
[....]

Once we install the latest version:

❯ helm install --devel --namespace awstest --generate-name --set global.imageK8S=terraform-k8s-dev:latest .
[...]

❯ kubectl -n awstest get secret/demo-outputs
NAME           TYPE     DATA   AGE
demo-outputs   Opaque   2      69s

@dak1n1
Copy link
Contributor

dak1n1 commented Nov 10, 2020

I started testing this today. It looks like there is a regression in the CRD:

$ helm install -n test operator .
Error: failed to install CRD crds/app.terraform.io_workspaces_crd.yaml: CustomResourceDefinition.apiextensions.k8s.io "workspaces.app.terraform.io" is invalid: [spec.versions[0].schema.openAPIV3Schema.properties[spec].properties[terraformVersion].default: Forbidden: must not be set (cannot set default values in apiextensions.k8s.io/v1beta1 CRDs, must use apiextensions.k8s.io/v1

I'm working around it by setting the API version to v1 instead of v1beta1, but the CRD should probably be updated so the installation process isn't broken.

@dak1n1
Copy link
Contributor

dak1n1 commented Nov 10, 2020

Nice, it's working! I had to grab the latest commit in your test repo (which btw, thanks for adding that!). Now my test app is up-to-date enough for the secrets to work:

$ kube get secrets -n test test-outputs -o json |jq .data.aws_ebs_volume_id
"dm9sLTBhZTc0OTJhYzI0YzkzM2Nj"

$ kube get secrets -n test test-outputs -o json |jq -r .data.aws_ebs_volume_id |base64 -d
vol-0ae7492ac24c933cc

Next I'll just give the code a quick read-through.

dak1n1
dak1n1 reviewed Nov 10, 2020
View reviewed changes
Copy link
Contributor

@dak1n1 dak1n1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this feature! This looks great. The only issue I ran into was with the CRD, and maybe running go mod tidy to clean up go.mod, but other than that, everything is working well.

CHANGELOG.md
the workspace's outputs, and it will keep updating only those for
subsequent runs. Old ConfigMaps will be left for the users to delete
when they are ready.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice upgrade notes! I like that users can take this at their own pace, rather than having the ConfigMap automatically deleted.

go.mod Outdated
@@ -11,7 +11,7 @@ require (
github.com/pkg/sftp v1.12.0 // indirect
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.6.1
github.com/zclconf/go-cty v1.5.1
github.com/zclconf/go-cty v1.5.1 // indirect
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we need to run go mod tidy since the modules were in a bit of an inconsistent state when I looked at them locally. When I ran it, it cleaned up some things.

koikonom pushed a commit that referenced this pull request Nov 16, 2020
Handle default terraform version in code instead
1e3b0df 
During review of #80 it was discovered that v1beta1 of the CRD schema
was not compatible with setting default values, like we do for the
workspace's default version.

Since setting the CRD schema version to v1 instead would result in
dropping support for k8s versions before 1.16.0 we'll allow the schema
to support empty terraform versions and handle the lack of a value in
the code.
@koikonom koikonom requested a review from dak1n1 November 16, 2020 19:46
koikonom and others added 4 commits November 16, 2020 19:52
@koikonom
Store workspace outputs as secrets
fbfddce 
Currently the operator stores outputs as configmaps. This can be
undesirable for some environments since output values can be considered
sensitive. This change creates k8s secrets instead of ConfigMaps to
satisfy this usecase.
@koikonom @dak1n1
Update pkg/controller/workspace/k8s_configmap.go
19d69c4 
Co-authored-by: Stef Forrester <dak1n1@users.noreply.github.com>
Handle default terraform version in code instead
b77cb65 
During review of #80 it was discovered that v1beta1 of the CRD schema
was not compatible with setting default values, like we do for the
workspace's default version.

Since setting the CRD schema version to v1 instead would result in
dropping support for k8s versions before 1.16.0 we'll allow the schema
to support empty terraform versions and handle the lack of a value in
the code.
go modules update
335e791
@koikonom
Copy link
Contributor Author

Rebased against master.

@koikonom
Copy link
Contributor Author

@dak1n1 see commit b77cb65 for the solution I chose for the CRD schema version issue you pointed out. (Thanks for reporting this btw :) )

dak1n1
dak1n1 approved these changes Nov 16, 2020
View reviewed changes
Copy link
Contributor

@dak1n1 dak1n1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice fix! It's all working as expected 😄

@koikonom koikonom merged commit 81031a1 into master Nov 17, 2020
@koikonom koikonom deleted the sensitive_outputs branch November 17, 2020 12:44
@aareet
Copy link
Contributor

aareet commented Feb 2, 2021

@koikonom does this resolve #39 ?

@koikonom
Copy link
Contributor Author

koikonom commented Feb 3, 2021

Yes I believe it does.

@koikonom koikonom mentioned this pull request Feb 3, 2021
Closed
@James-Newman James-Newman mentioned this pull request Sep 1, 2021
Open
@ejhayes ejhayes mentioned this pull request Oct 13, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dak1n1 dak1n1 dak1n1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@koikonom @dak1n1 @aareet