chore: migrate secrets to vault (#482)

* chore: migrate staging secrets to valult * chore: migrate production secrets to vault * chore: add load_secrets_and_run file * chore: add volumeMounts to the production * chore: remove copying the load_secrets_and_run.sh from Dockerfile * chore: add entrypoint to dockerfile * chore: move EXTRYPOINT to right above CMD * chore: remove dumb-init loading * chore: update the location of load_secrets_and_run.sh * chore: Make the script executable
artsy · Nov 26, 2024 · 516512e · 516512e
1 parent c6abf05
commit 516512e
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -29,4 +29,6 @@ RUN cd assets/ && \
     cd - && \
     mix do compile, phx.digest
 
+ENTRYPOINT ["./scripts/load_secrets_and_run.sh"]
+
 CMD ["mix", "phx.server"]
diff --git a/hokusai/production.yml b/hokusai/production.yml
@@ -29,11 +29,33 @@ spec:
         app.kubernetes.io/version: production
       name: aprd-web
     spec:
+      initContainers:
+      - name: setenv
+        image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/fortress:production
+        imagePullPolicy: Always
+        command:
+        - python
+        - src/load/load.py
+        - kubernetes
+        - production
+        - aprd
+        envFrom:
+        - configMapRef:
+            name: secrets-config
+        volumeMounts:
+        - name: secrets
+          mountPath: /secrets
       containers:
       - name: aprd-web
         envFrom:
+        - configMapRef:
+            name: secrets-config
         - configMapRef:
             name: aprd-environment
+        volumeMounts:
+        - name: secrets
+          mountPath: /secrets
+          readOnly: true
         image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/aprd:production
         imagePullPolicy: Always
         ports:
@@ -49,6 +71,7 @@ spec:
         options:
         - name: ndots
           value: '1'
+      serviceAccountName: aprd
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -58,6 +81,9 @@ spec:
                 operator: In
                 values:
                 - foreground
+      volumes:
+      - name: secrets
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service

diff --git a/hokusai/staging.yml b/hokusai/staging.yml
@@ -29,11 +29,33 @@ spec:
         app.kubernetes.io/version: staging
       name: aprd-web
     spec:
+      initContainers:
+      - name: setenv
+        image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/fortress:staging
+        imagePullPolicy: Always
+        command:
+        - python
+        - src/load/load.py
+        - kubernetes
+        - staging
+        - aprd
+        envFrom:
+        - configMapRef:
+            name: secrets-config
+        volumeMounts:
+        - name: secrets
+          mountPath: /secrets
       containers:
       - name: aprd-web
         envFrom:
+        - configMapRef:
+            name: secrets-config
         - configMapRef:
             name: aprd-environment
+        volumeMounts:
+        - name: secrets
+          mountPath: /secrets
+          readOnly: true
         image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/aprd:staging
         imagePullPolicy: Always
         ports:
@@ -49,6 +71,7 @@ spec:
         options:
         - name: ndots
           value: '1'
+      serviceAccountName: aprd
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -58,6 +81,9 @@ spec:
                 operator: In
                 values:
                 - foreground
+      volumes:
+      - name: secrets
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service

diff --git a/scripts/load_secrets_and_run.sh b/scripts/load_secrets_and_run.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+CMD="$@"
+
+if [ ! -z "$SECRETS_FILE" ]
+then
+  echo "SECRETS_FILE env var is defined. Sourcing secrets file..."
+  source "$SECRETS_FILE"
+fi
+
+echo "Running command: $CMD"
+$CMD