-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(secrets): begin migration to secret manager from keystore #587
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trampoline V2 will pass down KOKORO_GFILE_DIR
and it's content, so as long as your Kokoro job has the configuration for the bucket, it should be fine.
synthtool/gcp/templates/node_library/.kokoro/populate-secrets.sh
Outdated
Show resolved
Hide resolved
synthtool/gcp/templates/node_library/.kokoro/release/publish.cfg
Outdated
Show resolved
Hide resolved
synthtool/gcp/templates/node_library/.kokoro/populate-secrets.sh
Outdated
Show resolved
Hide resolved
Here's an example of the approach outlined here in action: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the kokoro-trampoline.service-account.json file in place and ready to go?
277695b
to
8a68efb
Compare
8a68efb
to
12b4d97
Compare
mkdir -p ${SECRET_LOCATION} | ||
for key in $(echo ${SECRET_MANAGER_KEYS} | sed "s/,/ /g") | ||
do | ||
docker run --entrypoint=gcloud \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion:
Docker runs with uid 0 by default. It will likely create root owned files which might be ok, but who knows.
I'd try detecting uid and gid then pass --user
flag.
user_uid="$(id -u)"
user_gid="$(id -g)"
# then pass
--user "${user_uid}:${user_gid}"
WDYT?
This work begins migrating secrets for Node.js from keystore to Secret Manager.
After discussing a few possible approaches with @chingor13, @tmatsuo, and @busunkim96, I ultimately landed on the dead simple approach of:
I think the only impact this has on Trampoline V2, is that we might want to use a service account made specifically for this purpose.