[Do not Merge] Testing things with Dockerfile secrets #261
Conversation
| @@ -38,6 +39,12 @@ func ReadSecrets( | |||
| // Extracts secrets into data to pass to buildkit | |||
| secretsData := make(map[string][]byte) | |||
| for _, secretRef := range obj.Spec.Secrets { | |||
| line := fmt.Sprintf("Processing secret reference %s %s %s\n", | |||
There was a problem hiding this comment.
log.XXX apis should work. You just need to make sure the loglevel is configured properly on the hephaestus operator.
Or you can just use things like log.Error
| if secretRef.MountPath != "" { | ||
| path = secretRef.MountPath | ||
| } | ||
|
|
||
| // builds a path for the secret like {namespace}/{name}/{key} to avoid hash key collisions | ||
| for filename, data := range secret.Data { | ||
| name := strings.Join([]string{path, filename}, "/") |
There was a problem hiding this comment.
Do we still do {path}/{filename} here or is MountPath expected to be the complete path to the file?
There was a problem hiding this comment.
The mount path affects all the values inside the k8s secret.
From the perspective of nucleus you can set a different mount path for every Vault secret and the dispatcher maps the Vault values into the k8s secret.
We only need one secret for the purposes of the environment build secrets, but I'm leaving room to have multiple secrets if someone needs it in the future.
There was a problem hiding this comment.
Ah yup, makes sense. Let me know when you have a demo environment rigged up where I can play around with the experience a bit.
Thanks!
ddl-ignacio-rossi
force-pushed
the
dockerfile_secrets
branch
from
d422c3a to
58157a0
Compare
No description provided.