feat: add option to set custom name for secrets and secrets policy

shakacode · May 2, 2024 · 6be1b88 · 6be1b88
1 parent 5a85042
commit 6be1b88
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -207,6 +207,22 @@ aliases:
       - rails
       - sidekiq
 
+    # Only needed if using a custom secrets name.
+    # The default is '{APP_PREFIX}-secrets'. For example:
+    # - for an app 'my-app-staging' with `match_if_app_name_starts_with` set to `false`,
+    #   it would be 'my-app-staging-secrets'
+    # - for an app 'my-app-review-1234' with `match_if_app_name_starts_with` set to `true`,
+    #   it would be 'my-app-review-secrets'
+    secrets_name: my-secrets
+
+    # Only needed if using a custom secrets policy name.
+    # The default is '{APP_SECRETS}-policy'. For example:
+    # - for an app 'my-app-staging' with `match_if_app_name_starts_with` set to `false`,
+    #   it would be 'my-app-staging-secrets-policy'
+    # - for an app 'my-app-review-1234' with `match_if_app_name_starts_with` set to `true`,
+    #   it would be 'my-app-review-secrets-policy'
+    secrets_policy_name: my-secrets-policy
+
     # Configure the workload name used as a template for one-off scripts, like a Heroku one-off dyno.
     one_off_workload: rails
 

diff --git a/examples/controlplane.yml b/examples/controlplane.yml
@@ -42,6 +42,22 @@ aliases:
       - rails
       - sidekiq
 
+    # Only needed if using a custom secrets name.
+    # The default is '{APP_PREFIX}-secrets'. For example:
+    # - for an app 'my-app-staging' with `match_if_app_name_starts_with` set to `false`,
+    #   it would be 'my-app-staging-secrets'
+    # - for an app 'my-app-review-1234' with `match_if_app_name_starts_with` set to `true`,
+    #   it would be 'my-app-review-secrets'
+    secrets_name: my-secrets
+
+    # Only needed if using a custom secrets policy name.
+    # The default is '{APP_SECRETS}-policy'. For example:
+    # - for an app 'my-app-staging' with `match_if_app_name_starts_with` set to `false`,
+    #   it would be 'my-app-staging-secrets-policy'
+    # - for an app 'my-app-review-1234' with `match_if_app_name_starts_with` set to `true`,
+    #   it would be 'my-app-review-secrets-policy'
+    secrets_policy_name: my-secrets-policy
+
     # Configure the workload name used as a template for one-off scripts, like a Heroku one-off dyno.
     one_off_workload: rails
 

diff --git a/lib/command/base.rb b/lib/command/base.rb
@@ -412,11 +412,11 @@ def app_identity_link
     end
 
     def app_secrets
-      "#{config.app_prefix}-secrets"
+      config.current[:secrets_name] || "#{config.app_prefix}-secrets"
     end
 
     def app_secrets_policy
-      "#{app_secrets}-policy"
+      config.current[:secrets_policy_name] || "#{app_secrets}-policy"
     end
 
     def ensure_docker_running!

diff --git a/lib/command/setup_app.rb b/lib/command/setup_app.rb
@@ -35,7 +35,10 @@ def call # rubocop:disable Metrics/MethodLength
       if cp.fetch_identity(app_identity).nil? || cp.fetch_policy(app_secrets_policy).nil?
         raise "Can't bind identity to policy: identity '#{app_identity}' or " \
               "policy '#{app_secrets_policy}' doesn't exist. " \
-              "Please create them or use `--skip-secret-access-binding` to ignore this message."
+              "Please create them or use `--skip-secret-access-binding` to ignore this message." \
+              "You can also set a custom secrets name with `secrets_name` " \
+              "and a custom secrets policy name with `secrets_policy_name` " \
+              "in the `.controlplane/controlplane.yml` file."
       end
 
       step("Binding identity to policy") do

diff --git a/spec/command/setup_app_spec.rb b/spec/command/setup_app_spec.rb
@@ -78,4 +78,23 @@
       expect(result[:stderr]).to match(/Binding identity to policy[.]+? done!/)
     end
   end
+
+  context "when using custom names for secrets" do
+    let!(:app) { dummy_test_app }
+
+    before do
+      run_cpl_command!("apply-template", "secrets-with-custom-names", "-a", app)
+    end
+
+    after do
+      run_cpl_command!("delete", "-a", app, "--yes")
+    end
+
+    it "binds identity to policy" do
+      result = run_cpl_command("setup-app", "-a", app)
+
+      expect(result[:status]).to eq(0)
+      expect(result[:stderr]).to match(/Binding identity to policy[.]+? done!/)
+    end
+  end
 end
diff --git a/spec/dummy/.controlplane/templates/secrets-with-custom-names.yml b/spec/dummy/.controlplane/templates/secrets-with-custom-names.yml
@@ -0,0 +1,10 @@
+kind: secret
+name: custom-secrets
+type: dictionary
+data: {}
+---
+kind: policy
+name: custom-policy
+targetKind: secret
+targetLinks:
+  - //secret/{{APP_SECRETS}}