Skip to content

x/build/cmd/relui: in prod deployment, make twitter secret in secret manager available to relui command #51122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dmitshur opened this issue Feb 9, 2022 · 5 comments
Closed

x/build/cmd/relui: in prod deployment, make twitter secret in secret manager available to relui command #51122

dmitshur opened this issue Feb 9, 2022 · 5 comments
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@dmitshur
Copy link
Member

dmitshur commented Feb 9, 2022
edited
Loading

The production relui deployment (deployment-prod.yaml in x/build/cmd/relui) runs the relui command, and currently provides some static flags and environment variables (see here and here).

For upcoming production workflows, the relui binary will need to be also provided secrets from secret manager. Specifically, we want:

Based on sources like https://kubernetes.io/docs/concepts/configuration/secret/ and https://stackoverflow.com/questions/59079318/how-to-mount-multiple-files-secrets-into-common-directory-in-kubernetes, Kubernetes has support for arranging this. It can be implemented as files in a mounted volume (whose location can either be well-known by the relui command, or provided to it via a flag or env var), or via environment variables that relui can access.

This is the tracking issue for making these secrets available to the relui process in the production environment (a part of #47407).

CC @golang/release.
@dmitshur dmitshur added Builders x/build issues (builders, bots, dashboards) NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Feb 9, 2022
@dmitshur dmitshur added this to the Unreleased milestone Feb 9, 2022
@dmitshur dmitshur mentioned this issue Feb 9, 2022
Open
3 tasks
@heschi
Copy link
Contributor

heschi commented Feb 9, 2022

The GCP secrets CSI driver looked perfect but doesn't work in Autopilot clusters, which makes me feel pretty dumb for using one :(

We could use an init container, or https://external-secrets.io/, but both feel too heavyweight for me.

https://github.com/GoogleCloudPlatform/berglas#library-usage is kinda neat, but I think I prefer something more explicit. So I think we should just take flags that are secret names and resolve them ourselves :-/

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/385185 mentions this issue: internal/secret: add flag support

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Feb 14, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/386054 mentions this issue: internal/secret: add JSON flag support

gopherbot pushed a commit to golang/build that referenced this issue Feb 16, 2022
@heschi
internal/secret: add flag support
55bc65c 
To avoid hardcoding secret names everywhere, we want to pass them via
flags instead. As a convenience, introduce a new flag type that resolves
values of the form "secret:[project name/]<secret name>" using Secret
Manager.

This is a bit janky in the name of convenience: we need a SM client
before calling flag.Parse, which I decided should be initialized by the
user rather than implicitly. Typical usage will look like:

  var token = secret.Flag("token", "token used to do the thing")

  func main() {
    if err := secret.InitFlagSupport(context.Background()); err != nil {
      log.Fatal(err)
    }
    flag.Parse()
    fmt.Printf("My token is %v\n", *token)
  }

Supporting literal values might be unnecessary but I think it might be
helpful for local testing, and we can extend it with a file: prefix to
read from local files too.

For golang/go#51122.

Change-Id: Ie6102453c2242baf2e91b873e62e035f72a82584
Reviewed-on: https://go-review.googlesource.com/c/build/+/385185
Trust: Heschi Kreinick <[email protected]>
Run-TryBot: Heschi Kreinick <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
gopherbot pushed a commit to golang/build that referenced this issue Feb 16, 2022
@heschi @gopherbot
internal/secret: add JSON flag support
eb8c3e6 
Some of our secrets are in JSON format so that we don't have to deal
with too many. Make a little convenience flag function for those.

For golang/go#51122.

Change-Id: Ie34828443adb9acb16249339a760d28a81ddbd20
Reviewed-on: https://go-review.googlesource.com/c/build/+/386054
Trust: Heschi Kreinick <[email protected]>
Run-TryBot: Heschi Kreinick <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/387274 mentions this issue: cmd/relui: fetch Twitter API secret in production deployment

@dmitshur
Copy link
Member Author

As part of resolving this issue, I've granted Secret Manager Secret Accessor role on the twitter API secret to relui's service account. Without that access, it correctly refuses to start up:

invalid value "secret:symbolic-datum-552/twitter-api-secret" for flag -twitter-api-secret: reading secret "twitter-api-secret" from project symbolic-datum-552 failed: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/symbolic-datum-552/secrets/twitter-api-secret/versions/latest' (or it may not exist).
Usage of ./relui: [...]

The tweet workflows are ready and need secret access now, while the other workflows will be added later on. Now that we've done the work to propagate one secret, doing it for more is trivial, and there's no value in doing it preemptively.

So I'll scope this issue down to be just about the twitter credentials and update CL 387274 to close it.

@dmitshur dmitshur changed the title x/build/cmd/relui: in prod deployment, make secrets in secret manager available to relui command x/build/cmd/relui: in prod deployment, make twitter secret in secret manager available to relui command Feb 25, 2022
@rsc rsc unassigned dmitshur and heschi Jun 22, 2022
@heschi heschi moved this to Done in Go Release Sep 27, 2022
@golang golang locked and limited conversation to collaborators Jun 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
Go Release
Archived in project
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@dmitshur @gopherbot @heschi