Merge pull request #945 from benja-M-1/feat/gcp-secrets
Add secrets deployment for GCP
This commit is contained in:
commit
af1d06f503
@ -22,6 +22,7 @@
|
|||||||
- [gcp/gcr](./gcp/gcr.md) - Google Container Registry
|
- [gcp/gcr](./gcp/gcr.md) - Google Container Registry
|
||||||
- [gcp/gcs](./gcp/gcs.md) - Google Cloud Storage
|
- [gcp/gcs](./gcp/gcs.md) - Google Cloud Storage
|
||||||
- [gcp/gke](./gcp/gke.md) - Google Kubernetes Engine
|
- [gcp/gke](./gcp/gke.md) - Google Kubernetes Engine
|
||||||
|
- [gcp/secretmanager](./gcp/secretmanager.md) - Google Cloud Secret Manager
|
||||||
- [git](./git.md) - Git operations
|
- [git](./git.md) - Git operations
|
||||||
- [go](./go.md) - Go build operations
|
- [go](./go.md) - Go build operations
|
||||||
- [io](./io.md) - IO operations
|
- [io](./io.md) - IO operations
|
||||||
|
2
stdlib/.dagger/env/google-secretmanager/.gitignore
vendored
Normal file
2
stdlib/.dagger/env/google-secretmanager/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# dagger state
|
||||||
|
state/**
|
32
stdlib/.dagger/env/google-secretmanager/values.yaml
vendored
Normal file
32
stdlib/.dagger/env/google-secretmanager/values.yaml
vendored
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
plan:
|
||||||
|
package: ./gcp/secretmanager/tests
|
||||||
|
name: google-secretmanager
|
||||||
|
inputs:
|
||||||
|
TestConfig.gcpConfig.project:
|
||||||
|
text: dagger-ci
|
||||||
|
TestConfig.gcpConfig.region:
|
||||||
|
text: us-west2
|
||||||
|
TestConfig.gcpConfig.serviceKey:
|
||||||
|
secret: ENC[AES256_GCM,data:fQKVyu3dOiRz7Ubnosa8agcKs+juarkz/RWe7puRxag1VDJTi6xU5tf6crFkzI6DvGSKe5ipe8wc1Qw+v50I3ETHkZ2XxdM2AdhfAT/zULEX5r4czv1Z/Z+oDLuZwwfRZ7KhPArYaAkFLPSQ1fCjuXfVUwmHPpbUDO7t+NgkifHQ4MIZLGl07imbjNVHUW7TknsZmgO76AcGk7RYd+ky1YCDd8NYDr+X0WznF+LPuAEBDDpJUDGRoUpXZwgXp7JjzzheNosqFUHIO460yK1M2EGMHfm7TDcgF35C7SvUWfyl3njKnyxqlKxq7UQ/Yqhv5IuL0kuMBhsptyp8aqY12hroq89DfQu2BUHXJlTMNroDfh5EsMCihpeb7uflkNkLizEKEg9mMeRHJxtAr/dESDeHvFB4g0UNoZiXwVoWDpJbleShj5VNSqYUesoHWLHnB7ssprsMisXu3zaZ9STt4U8Q33YVAsfAdsUAF2QEAIIIzSgUxyC54VIdiIHXFrdkXrppaoU/eWVeakko5TXTJkWCrITB8gtMnglDN4qjIZjQ7Njln7fJFiJBgz9odzksjpvOgsVa0I//EV7OHWOJ4oO7fHqmg6AkfN9BxfboBQtPLW5TM08OqSbZkFcOFTImh+s0ZsrwMvHTL3FSISiw7vUsfXgfRbxtLKOX7tTy62E3BTGtWxszSNTvObMFPkzYm18InhNafq8POcxVWckWjJXl2WmKHNburSCnQgey4U6YoWon9hAzcK+8DTNXIQsN10H70IxpuQm/ANxemSPfzLFGzmZlL0/ZHO6RiwjYYXpiJ5YO/e7sZAL2C9DimdY/ZfBqGrTt6XmZ7iBWVhFjETL3+W+ere3bD1X1pO0WIg/l94GcLLjUOLMBj6HzoXrATJObW81IKeLeKQfTG5AF1qWIJJPVKSZKUlr2yP6DtqMANcQTeRQ9kqjfMw6vJ4ZkZlEHboV/3qrcYfjYAqx7Q/fV1+++RFXKXhWdwIyHl5HSeSkaWEcePDgSNoL5oEwBmhyKXmh8QAEl25VRJYQJpvPOJcYCwDAbJcua72R9LEGQy/cxx/Z5E2rLkCYknZaklpjKQintDnenogBvLjzJWHg9JLHIql+4lGmTst8526loF3hDeZlYLT/iL+JAgIZGAZ2OC5bHonUhBd0QNj1f7pDxZyYxotSIKH06FVaMcFhJkyP4E4/oaqzvjEXwzYHLsdTEp05HtJb5hohoB41IP5ck8Sz+jBDgUCsIYvRXc3HBRyyMz4Ptvov72YBolZSggUCtRbluwqxVc1EPLAy3gPcxW7ig077/FXvk+KLp+sjikzNnFLg2RICD2n58Avyu+vzgqucOCuR3eF8Ir4pUrpubum3UNnnWM0X9L6K4nrvk2gmk9awj1RJSRxxwp7NviUlQjcbZF1cCxJESff1VkK1InkEDUvPGnq1WO0MW36DUcecE+ME+fVcT7/KyDpP4xtRXkpaJM4KuhNZnWOvqm5njZ3u4I6FnGAKs9vI5qDQ3PVhxeLb1qK5koPHLQlR/LZX/w297LaCX51SBr7Pajd8y7r6ATJJ3wN5Vl4vDyivarf2EteVXiGlAs4YRQXjWUlHV74Wol9LEc1jMa24Lf2WaGG1dS1EH5HsoeOzDdjaz4TXjIIC7BrXgs/tRsnQINKv6qGrB3izBvR5a5z5He6RZA8eMVIXMtwLqOzbPWFjaXm4TYVq89JSMclz75q7KjCrji2zuE+4ImLQntm6Dib+piytCRiXWF8rkEMRyzcrz9MzjoK/pdFSfD7BFtOwJd6Jk0jd4JVzBUsaKcVMU41WNCBM7sfeIEtoFdyv+osgQsJGoB0zDeYj9sO/AdIJIUy8wJyH1+JOpI/+hLrVJUSFQ6ZPSquMaN/TRNcxiSvBNqP36uoB0ffVAfQ4JVc+2XEU88KzPYbX6Rw9ftK78kXDM7aYQ77OUpexx096OCX6GGRX5XdiMwepfMeRzvhpioXfHQk/djtPvrfTFtsU6Npy/rbcLqCpW8MWCZ4efx/Cu8qefB7Gj6h4GUk72e6lsp3+AIq/Y4mdi0v2uZlHJZj2c7D+hboey/YbO6nHM9KbUpjgZ+AyTziBk3IYbiAmN5km8z9jKL4OiHtx7Vyildv0HEmGl1CVkJQJ2s7SLgVKmeOscqvJ1Xd3FiY78nyyTlPPAha6K9nbdTog2qiROYgwjz1dAN17+c4/VxLHNbvPijsMtYLb3yckE0E25sQvVN7cu4yncnSU0fC+7BDhyOChl7zGlgb9YWWU5bFn8pQGWo7MeIHHI6PZfDqHKE+23d19Z5uBNGe5EOfTogt75GBtqylfb+fEOiitzaQnkVxj7JdkjKVPKYF3XqOneLkfdUVAFGslByii6Tpi1QEYyYAKvlgRu2IWrazJVniYm/Sl80xEgwF17gFREGh97HcmCQh4801fbT5H+RPXDEkkcm28nuNduNiVqKhnf/adJWwaav0gPOgcS6V0DPFtP/zErC/WNRebJMbn4BJE6aVLPRR2z87iTG4o7+7XDAq0b57vTfHxdihDD0wyQRS/VRy3tb3VX7B6GQwDO0akGUdPUucuCK/fjbXiUPwh6ZF6u9zr/oNCj+FjseOAklMKmfprQDcAohr2lDvjilvanUfZyizB1ugcV3DxB6MJjgUJ+4vCncxNylv3dNXdA67uiFkeXfcNTzy2caRHTEA8p2OReNmKGK5Gk41Zk7M15RvN18YXCvL2haDjEn4LOletqv/QXbWGzfNWH7uSoBMukFE08e+yFWw9jKiO9DIeF67O+y6PUSk9JVH/YnAiyscN4YzwfFGm0A8rQdkKcA3MABbCMF4bR/j/FvprwBAs4Fnv/y7sAq1qMDgOTdEJsGNMw6VgvtkwhL47ZuE1lYLQPHlzitqjy2Mbo0ozONI6Nh3/QvNTqHEpIwcfuy1tCiQtrX+OCQxmYk/Ypra4yvPgD97gmwWJCorDSCENFvhMG5/xNX0Ks9pUGG1DN9qjS8EW6zje2hSbXvWyP1JtJVdhS/7dBrFABqcsZvsWn6wOGhUcDNdRnBLSFcgs=,iv:9zRiKDjj3+9EuxGHKB12jPwtXlgywxZyX7ICqMhhvi4=,tag:COyZPIEfsgOau2EOUX1vHg==,type:str]
|
||||||
|
TestSecrets.secret.secrets.databasePassword:
|
||||||
|
secret: ENC[AES256_GCM,data:DxIcSy5UGvpDnQ==,iv:N7FD6qr51mRyie0UE/2c4IBONT82hzLUYHnz9zMiQVM=,tag:rAx37nTySZckFIV2vwWk1A==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhenNyZzhOL3pwU2Y2SGsv
|
||||||
|
NGh1QTR0U1FMNUhlRUl2cGQ2amxYSk9tNFVvCjMrbm1WMkdiSEJ1KytlQU9Nelpn
|
||||||
|
ZmZIUVMxSWo4aVFrQ1MxekM2ZzNhS1kKLS0tIG5IeFNOdGJWN2hoeFMvSHJkYU1a
|
||||||
|
QTN1MDlNNzNIQVZ2ZXZjUlV1QU1va1EK/R4z69dd8mpiez6qQVgHXnvybc5qjZcC
|
||||||
|
p5GXZhUP2Y0/9rfRXy+Nwb7dT4LnhPuXLNFFZqTzm0V+aM+AkckrLg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2021-09-06T14:44:22Z"
|
||||||
|
mac: ENC[AES256_GCM,data:wA4G51q9aEBX7ra0bVI9EMOBWEwYxpq6ysnJg52pM8hyK3XFS2xczPv5pFCsylNcrmf03TaTDvK+nj5GTu2TJ+3+LQgPj36eocbK5b2PtvNAzIrbr+r9IXSFCvBEePKpfcIltTnUE1vfGBRIeQIwuv7hNjH3FW9K3+ank5h8m0M=,iv:e86qrZ4uf9bSRv3diMW8b0jG31AeNmPkX2r4BGHRdQY=,tag:fpnL1/Q6DwGi9Ys/z/Gv2A==,type:str]
|
||||||
|
pgp: []
|
||||||
|
encrypted_suffix: secret
|
||||||
|
version: 3.7.1
|
76
stdlib/gcp/secretmanager/secrets.cue
Normal file
76
stdlib/gcp/secretmanager/secrets.cue
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
// Google Cloud Secret Manager
|
||||||
|
package secretmanager
|
||||||
|
|
||||||
|
import (
|
||||||
|
"alpha.dagger.io/dagger"
|
||||||
|
"alpha.dagger.io/dagger/op"
|
||||||
|
"alpha.dagger.io/gcp"
|
||||||
|
"alpha.dagger.io/os"
|
||||||
|
)
|
||||||
|
|
||||||
|
#Secrets: {
|
||||||
|
// GCP Config
|
||||||
|
config: gcp.#Config
|
||||||
|
|
||||||
|
// Map of secrets
|
||||||
|
secrets: [name=string]: dagger.#Secret
|
||||||
|
|
||||||
|
// Deploy encrypted secrets
|
||||||
|
deployment: os.#Container & {
|
||||||
|
image: gcp.#GCloud & {"config": config}
|
||||||
|
shell: path: "/bin/bash"
|
||||||
|
always: true
|
||||||
|
|
||||||
|
for name, s in secrets {
|
||||||
|
secret: "/tmp/secrets/\(name)": s
|
||||||
|
}
|
||||||
|
|
||||||
|
command: #"""
|
||||||
|
# Loop on all files, including hidden files
|
||||||
|
shopt -s dotglob
|
||||||
|
echo "{}" > /tmp/output.json
|
||||||
|
for FILE in /tmp/secrets/*; do
|
||||||
|
BOOL=0 # Boolean
|
||||||
|
gcloud secrets describe "${FILE##*/}" 2>/dev/null > /dev/null
|
||||||
|
status=$?
|
||||||
|
|
||||||
|
# If secret not found
|
||||||
|
if [[ ! "${status}" -eq 0 ]]; then
|
||||||
|
(\
|
||||||
|
RES=$(gcloud secrets create "${FILE##*/}" --replication-policy automatic --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
|
||||||
|
&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
|
||||||
|
) || (echo "Error while creating secret ${FILE##*/}" >&2 && exit 1)
|
||||||
|
BOOL=1
|
||||||
|
else
|
||||||
|
(\
|
||||||
|
RES=$(gcloud secrets versions add "${FILE##*/}" --data-file "${FILE}" --format='value(name)' | sed -n '1!p') \
|
||||||
|
&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
|
||||||
|
) || (echo "Error while updating secret ${FILE##*/}" >&2 && exit 1)
|
||||||
|
BOOL=1
|
||||||
|
fi
|
||||||
|
if [ $BOOL -eq 0 ]; then
|
||||||
|
(\
|
||||||
|
RES=$(gcloud secrets describe "${FILE##*/}" --format='value(name)') \
|
||||||
|
&& cat <<< $(cat /tmp/output.json | jq ".|.\"${FILE##*/}\"=\"$RES\"") > /tmp/output.json \
|
||||||
|
) || (echo "Error while retrieving secret ${FILE##*/}" >&2 && exit 1)
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
"""#
|
||||||
|
}
|
||||||
|
|
||||||
|
// dynamic references
|
||||||
|
references: {
|
||||||
|
[string]: string
|
||||||
|
}
|
||||||
|
|
||||||
|
references: #up: [
|
||||||
|
op.#Load & {
|
||||||
|
from: deployment
|
||||||
|
},
|
||||||
|
|
||||||
|
op.#Export & {
|
||||||
|
source: "/tmp/output.json"
|
||||||
|
format: "json"
|
||||||
|
},
|
||||||
|
]
|
||||||
|
}
|
33
stdlib/gcp/secretmanager/tests/secrets.cue
Normal file
33
stdlib/gcp/secretmanager/tests/secrets.cue
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
package secretmanager
|
||||||
|
|
||||||
|
import (
|
||||||
|
"alpha.dagger.io/dagger"
|
||||||
|
"alpha.dagger.io/gcp"
|
||||||
|
"alpha.dagger.io/gcp/secretmanager"
|
||||||
|
"alpha.dagger.io/os"
|
||||||
|
)
|
||||||
|
|
||||||
|
TestConfig: gcpConfig: gcp.#Config
|
||||||
|
|
||||||
|
TestSecrets: {
|
||||||
|
secret: secretmanager.#Secrets & {
|
||||||
|
config: TestConfig.gcpConfig
|
||||||
|
secrets: {
|
||||||
|
databasePassword: dagger.#Secret @dagger(input)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(secret.references) > 0 {
|
||||||
|
cleanup: os.#Container & {
|
||||||
|
image: gcp.#GCloud & {
|
||||||
|
config: TestConfig.gcpConfig
|
||||||
|
}
|
||||||
|
shell: path: "/bin/bash"
|
||||||
|
always: true
|
||||||
|
|
||||||
|
command: #"""
|
||||||
|
gcloud -q secrets delete databasePassword
|
||||||
|
"""#
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -172,6 +172,16 @@ setup() {
|
|||||||
dagger -e google-gke up
|
dagger -e google-gke up
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "google cloud: secretmanager" {
|
||||||
|
run dagger -e google-secretmanager up
|
||||||
|
assert_success
|
||||||
|
|
||||||
|
# ensure the secret has been created
|
||||||
|
run dagger query -e google-secretmanager TestSecrets.secret.references.databasePassword -f text
|
||||||
|
assert_success
|
||||||
|
assert_output --regexp '^projects\/[0-9]+\/secrets\/databasePassword'
|
||||||
|
}
|
||||||
|
|
||||||
@test "google cloud: cloudrun" {
|
@test "google cloud: cloudrun" {
|
||||||
dagger -e google-cloudrun up
|
dagger -e google-cloudrun up
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user