docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15294 from crazy-max/releaser-secrets 

releaser: simplify access to env or secrets
This commit is contained in:
Sebastiaan van Stijn 2022-08-11 14:19:05 +02:00 committed by GitHub
parent 13ee3ff426 278cae8ad0
commit cfa7e322d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 40 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
_releaser/Dockerfile
View File

@ -24,7 +24,6 @@ FROM base AS netlify-remove
ARG NETLIFY_SITE_NAME ARG NETLIFY_SITE_NAME
RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
--mount=type=secret,id=NETLIFY_AUTH_TOKEN \ --mount=type=secret,id=NETLIFY_AUTH_TOKEN \
NETLIFY_AUTH_TOKEN=$(cat /run/secrets/NETLIFY_AUTH_TOKEN) \
releaser netlify remove releaser netlify remove
FROM base AS netlify-deploy FROM base AS netlify-deploy
@ -33,10 +32,7 @@ RUN --mount=type=bind,from=sitedir,target=/site \
--mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
--mount=type=secret,id=NETLIFY_AUTH_TOKEN \ --mount=type=secret,id=NETLIFY_AUTH_TOKEN \
--mount=type=secret,id=NETLIFY_ACCOUNT_SLUG \ --mount=type=secret,id=NETLIFY_ACCOUNT_SLUG \
NETLIFY_AUTH_TOKEN=$(cat /run/secrets/NETLIFY_AUTH_TOKEN) \ NETLIFY_DIR=/site releaser netlify deploy
NETLIFY_ACCOUNT_SLUG=$(cat /run/secrets/NETLIFY_ACCOUNT_SLUG) \
NETLIFY_DIR=/site \
releaser netlify deploy
FROM base AS aws-s3-update-config FROM base AS aws-s3-update-config
ARG AWS_REGION ARG AWS_REGION
@ -46,8 +42,6 @@ RUN --mount=type=bind,target=. \
--mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
--mount=type=secret,id=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=AWS_ACCESS_KEY_ID \
--mount=type=secret,id=AWS_SECRET_ACCESS_KEY \ --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
AWS_ACCESS_KEY_ID=$(cat /run/secrets/AWS_ACCESS_KEY_ID) \
AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/AWS_SECRET_ACCESS_KEY) \
releaser aws s3-update-config releaser aws s3-update-config
FROM base AS aws-lambda-invoke FROM base AS aws-lambda-invoke
@ -56,6 +50,4 @@ ARG AWS_LAMBDA_FUNCTION
RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
--mount=type=secret,id=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=AWS_ACCESS_KEY_ID \
--mount=type=secret,id=AWS_SECRET_ACCESS_KEY \ --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
AWS_ACCESS_KEY_ID=$(cat /run/secrets/AWS_ACCESS_KEY_ID) \
AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/AWS_SECRET_ACCESS_KEY) \
releaser aws lambda-invoke releaser aws lambda-invoke

23
_releaser/aws.go
View File

@ -7,6 +7,7 @@ import (
"log" "log"
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/lambda" "github.com/aws/aws-sdk-go/service/lambda"
"github.com/aws/aws-sdk-go/service/s3" "github.com/aws/aws-sdk-go/service/s3"
@ -36,8 +37,9 @@ func (s *AwsS3UpdateConfigCmd) Run() error {
} }
sess, err := session.NewSession(&aws.Config{ sess, err := session.NewSession(&aws.Config{
Region: aws.String(s.Region)}, Credentials: awsCredentials(),
) Region: aws.String(s.Region),
})
svc := s3.New(sess) svc := s3.New(sess)
@ -67,7 +69,8 @@ func (s *AwsLambdaInvokeCmd) Run() error {
svc := lambda.New(session.Must(session.NewSessionWithOptions(session.Options{ svc := lambda.New(session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable, SharedConfigState: session.SharedConfigEnable,
})), &aws.Config{ })), &aws.Config{
Region: aws.String(s.Region), Credentials: awsCredentials(),
Region: aws.String(s.Region),
}) })
_, err := svc.Invoke(&lambda.InvokeInput{ _, err := svc.Invoke(&lambda.InvokeInput{
@ -80,3 +83,17 @@ func (s *AwsLambdaInvokeCmd) Run() error {
log.Printf("INFO: lambda function %q invoked successfully\n", s.LambdaFunction) log.Printf("INFO: lambda function %q invoked successfully\n", s.LambdaFunction)
return nil return nil
} }
func awsCredentials() *credentials.Credentials {
return credentials.NewChainCredentials(
[]credentials.Provider{
&credentials.StaticProvider{
Value: credentials.Value{
AccessKeyID: getEnvOrSecret("AWS_ACCESS_KEY_ID"),
SecretAccessKey: getEnvOrSecret("AWS_SECRET_ACCESS_KEY"),
SessionToken: getEnvOrSecret("AWS_SESSION_TOKEN"),
},
},
},
)
}

14
_releaser/main.go
View File

@ -2,6 +2,8 @@ package main
import ( import (
"log" "log"
"os"
"path/filepath"
"github.com/alecthomas/kong" "github.com/alecthomas/kong"
) )
@ -29,3 +31,15 @@ func main() {
})) }))
ctx.FatalIfErrorf(ctx.Run()) ctx.FatalIfErrorf(ctx.Run())
} }
// getEnvOrSecret retrieves secret's value from secret file or env
func getEnvOrSecret(name string) string {
if v, ok := os.LookupEnv(name); ok {
return v
}
b, err := os.ReadFile(filepath.Join("/run/secrets", name))
if err != nil {
return ""
}
return string(b)
}

12
_releaser/netlify.go
View File

@ -23,8 +23,7 @@ type NetlifyCmd struct {
} }
type netlifyGlobalFlags struct { type netlifyGlobalFlags struct {
SiteName string `kong:"name='site-name',env='NETLIFY_SITE_NAME'"` SiteName string `kong:"name='site-name',env='NETLIFY_SITE_NAME'"`
AuthToken string `kong:"name='auth-token',env='NETLIFY_AUTH_TOKEN'"`
} }
type NetlifyRemoveCmd struct { type NetlifyRemoveCmd struct {
@ -33,7 +32,7 @@ type NetlifyRemoveCmd struct {
func (s *NetlifyRemoveCmd) Run() error { func (s *NetlifyRemoveCmd) Run() error {
siteName := cleanSiteName(s.SiteName) siteName := cleanSiteName(s.SiteName)
c := newNetlifyClient(s.AuthToken) c := newNetlifyClient(getEnvOrSecret("NETLIFY_AUTH_TOKEN"))
site, err := c.getSite(siteName) site, err := c.getSite(siteName)
if err != nil { if err != nil {
return fmt.Errorf("failed to get site %q: %w", siteName, err) return fmt.Errorf("failed to get site %q: %w", siteName, err)
@ -47,8 +46,7 @@ func (s *NetlifyRemoveCmd) Run() error {
type NetlifyDeployCmd struct { type NetlifyDeployCmd struct {
netlifyGlobalFlags netlifyGlobalFlags
AccountSlug string `kong:"name='account-slug',env='NETLIFY_ACCOUNT_SLUG'"` PublishDir string `kong:"name='publish-dir',env='NETLIFY_PUBLISH_DIR'"`
PublishDir string `kong:"name='publish-dir',env='NETLIFY_PUBLISH_DIR'"`
} }
func (s *NetlifyDeployCmd) Run() error { func (s *NetlifyDeployCmd) Run() error {
@ -59,11 +57,11 @@ func (s *NetlifyDeployCmd) Run() error {
} }
siteName := cleanSiteName(s.SiteName) siteName := cleanSiteName(s.SiteName)
c := newNetlifyClient(s.AuthToken) c := newNetlifyClient(getEnvOrSecret("NETLIFY_AUTH_TOKEN"))
site, err := c.CreateSite(c.ctx, &netlify.SiteSetup{ site, err := c.CreateSite(c.ctx, &netlify.SiteSetup{
Site: netlify.Site{ Site: netlify.Site{
AccountSlug: s.AccountSlug, AccountSlug: getEnvOrSecret("NETLIFY_ACCOUNT_SLUG"),
Name: siteName, Name: siteName,
}, },
}, false) }, false)