README
¶
Environment Variable from CSI plugin
The rigdev.envvar_csi plugin loads environment variables from a CSI provider into a Pod using a synced Kubernetes secret.
The plugin currently supports the aws driver which needs to be installed in an AWS cluster. See here for a guide on how to install the AWS Secrets and Configuration Provider.
AWS Provider
The plugin reads the environment variables set in the .spec.env.raw field of the Platform Capsule and decides if they should be injected as a CSI environment variable. The syntax for the envionment variables is
ENV_VAR: __ssmParameter__=<MY-PARAMETER>: Will try to load an object of typessmparameterwith name<MY-PARAMETER>and store it in the environment varableENV_VARENV_VAR: __secretName__=<MY-SECRET>: Will try to load an object of typesecretsmanagerwith name<MY-SECRET>and store it in the environment variableENV_VAR
Example
Config:
config:
pipeline:
steps:
- plugins:
- plugin: rigdev.envvar_csi
config: |
provider: aws
# You have to give the Rig Operator permission to read/write SecretProviderClass objects
rbac:
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasses
apiVersion: platform.rig.dev/v1
kind: Capsule
project: myproject
environment: myenv
name: mycapsule
spec:
image: myimage
env:
raw:
NORMAL_VAR: some_value
SSM_PARAMETER: __ssmParameter__=SomeParameter
SECRET_PARAMETER: __secretName__=SomeSecret
The resulting Deployment and SecretProviderClass resource of the Capsule
kind: Deployment
metadata:
name: mycapsule
namespace: myproject
spec:
template:
spec:
containers:
name: mycapsule
image: myimage
envFrom:
- configMapRef:
name: cap
- secretRef:
name: csi-envvars-cap
volumes:
- csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: mycapsule
name: csi
...
kind: SecretProviderClass
metadata:
name: mycapsule
namespace: myproject
spec:
parameters:
objects: |
- objectName: SomeParameter
objectType: ssmparameter
- objectName: SomeSecret
objectType: secretsmanager
provider: aws
secretObjects:
- secretName: csi-envvars-mycapsule
type: Opaque
data:
- key: SSM_PARAMETER
objectName: MyParameter
- key: SECRET_PARAMETER
objectName: SomeSecret
The SecretProviderClass will then construct a Kubernetes secret named csi-envvars-mycapsule and inject it into the Capsule's pods.
kind: Secret
metadata:
name: csi-envvars-mycapsule
namespace: myproject
type: opaque
data:
SSM_PARAMETER: ...
SECRET_PARAMETER: ...
Config
Documentation
¶
Index ¶
- Constants
- type Config
- type Plugin
- func (p *Plugin) ComputeConfig(ctx context.Context, req pipeline.CapsuleRequest, logger hclog.Logger) (string, error)
- func (p *Plugin) Initialize(req plugin.InitializeRequest) error
- func (p *Plugin) Run(ctx context.Context, req pipeline.CapsuleRequest, _ hclog.Logger) error
- func (p *Plugin) WatchObjectStatus(ctx context.Context, watcher plugin.CapsuleWatcher) error
Constants ¶
const (
Name = "rigdev.envvar_csi"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
Provider string `json:"provider,omitempty"`
ContainerName string `json:"containerName,omitempty"`
}
Configuration for the env_mapping plugin +kubebuilder:object:root=true
type Plugin ¶
type Plugin struct {
plugin.NoWatchObjectStatus
// contains filtered or unexported fields
}
func (*Plugin) ComputeConfig ¶
func (*Plugin) Initialize ¶
func (p *Plugin) Initialize(req plugin.InitializeRequest) error
Source Files