Add secrets deployment for GCP
Signed-off-by: Benjamin Grandfond <benjamin.grandfond@gmail.com>
This commit is contained in:
Benjamin Grandfond
committed by
Sam Alba
Sam Alba
parent
f29de14a2f
commit
45ea30da55
76
stdlib/gcp/secretmanager/secrets.cue
Normal file
76
stdlib/gcp/secretmanager/secrets.cue
Normal file
@@ -0,0 +1,76 @@
|
||||
// Google Cloud Secret Manager
|
||||
package secretmanager
|
||||
|
||||
import (
|
||||
"alpha.dagger.io/dagger"
|
||||
"alpha.dagger.io/dagger/op"
|
||||
"alpha.dagger.io/gcp"
|
||||
"alpha.dagger.io/os"
|
||||
)
|
||||
|
||||
#Secrets: {
|
||||
// GCP Config
|
||||
config: gcp.#Config
|
||||
|
||||
// Map of secrets
|
||||
secrets: [name=string]: dagger.#Secret
|
||||
|
||||
// Deploy encrypted secrets
|
||||
deployment: os.#Container & {
|
||||
image: gcp.#GCloud & {"config": config}
|
||||
shell: path: "/bin/bash"
|
||||
always: true
|
||||
|
||||
for name, s in secrets {
|
||||
secret: "/tmp/secrets/\(name)": s
|
||||
}
|
||||
|
||||
command: #"""
|
||||
# Loop on all files, including hidden files
|
||||
shopt -s dotglob
|
||||
echo "{}" > /tmp/output.json
|
||||
for FILE in /tmp/secrets/*; do
|
||||
BOOL=0 # Boolean
|
||||
gcloud secrets describe "${FILE##*/}" 2>/dev/null > /dev/null
|
||||
status=$?
|
||||
|
||||
# If secret not found
|
||||
if [[ ! "${status}" -eq 0 ]]; then
|
||||
(\
|
||||
RES=$(gcloud secrets create "${FILE##*/}" --replication-policy automatic --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
|
||||
&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
|
||||
) || (echo "Error while creating secret ${FILE##*/}" >&2 && exit 1)
|
||||
BOOL=1
|
||||
else
|
||||
(\
|
||||
RES=$(gcloud secrets versions add "${FILE##*/}" --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
|
||||
&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
|
||||
) || (echo "Error while updating secret ${FILE##*/}" >&2 && exit 1)
|
||||
BOOL=1
|
||||
fi
|
||||
if [ $BOOL -eq 0 ]; then
|
||||
(\
|
||||
RES=$(gcloud secrets describe "${FILE##*/}" --format='value(name)') \
|
||||
&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
|
||||
) || (echo "Error while retrieving secret ${FILE##*/}" >&2 && exit 1)
|
||||
fi
|
||||
done
|
||||
"""#
|
||||
}
|
||||
|
||||
// dynamic references
|
||||
references: {
|
||||
[string]: string
|
||||
}
|
||||
|
||||
references: #up: [
|
||||
op.#Load & {
|
||||
from: deployment
|
||||
},
|
||||
|
||||
op.#Export & {
|
||||
source: "/tmp/output.json"
|
||||
format: "json"
|
||||
},
|
||||
]
|
||||
}
|
||||
33
stdlib/gcp/secretmanager/tests/secrets.cue
Normal file
33
stdlib/gcp/secretmanager/tests/secrets.cue
Normal file
@@ -0,0 +1,33 @@
|
||||
package secretmanager
|
||||
|
||||
import (
|
||||
"alpha.dagger.io/dagger"
|
||||
"alpha.dagger.io/gcp"
|
||||
"alpha.dagger.io/gcp/secretmanager"
|
||||
"alpha.dagger.io/os"
|
||||
)
|
||||
|
||||
TestConfig: gcpConfig: gcp.#Config
|
||||
|
||||
TestSecrets: {
|
||||
secret: secretmanager.#Secrets & {
|
||||
config: TestConfig.gcpConfig
|
||||
secrets: {
|
||||
databasePassword: dagger.#Secret @dagger(input)
|
||||
}
|
||||
}
|
||||
|
||||
if len(secret.references) > 0 {
|
||||
cleanup: os.#Container & {
|
||||
image: gcp.#GCloud & {
|
||||
config: TestConfig.gcpConfig
|
||||
}
|
||||
shell: path: "/bin/bash"
|
||||
always: true
|
||||
|
||||
command: #"""
|
||||
gcloud -q secrets delete databasePassword
|
||||
"""#
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user