Configure Auto DevOps deployed applications with secrets from prefixed CI variables
What does this MR do?
Detects any CI variables exists where the key starts with K8S_SECRET_
.
If so, create a Kubernetes secret called $CI_ENVIRONMENT_SLUG-secret
with those variables in it.
Pass that secret name to the auto-deploy
helm chart, which will then load the secret key-value pairs as
environment variables in the application pods. The environment variables will have the prefix stripped off.
What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ce/issues/49056
Tasks
-
Update auto-deploy-app charts/auto-deploy-app!15 (merged) -
Find all env vars beginning with prefix K8S_SECRET_
-
Create secret in Auto DevOps -
pass secret name to Helm -
Update help text in Variables -
Delete secret when environment is stopped -
Add a QA test that uses a K8S secret
Tests
- new QA spec
Manual QA
Scenario 1:
- No
K8S_SECRET_*
variable - Run Auto DevOps
- Check deploy succeeded
Scenario 2:
- Create
K8S_SECRET_*
variables - Run Auto DevOps
- Check deploy succeeded
- Check new
secret
created in$KUBE_NAMESPACE
with correct values - Check that application pod has those variables as env vars.
Scenario 3: (see note below)
- Update
K8S_SECRET_*
variable - Run Auto DevOps
- Check deploy succeed
- Check
secret
is updated - Check env vars in pod has new values
Scenario 4: (see note below)
- Remove all
K8S_SECRET_*
variables - Run Auto DevOps
- Check that secret is not used by pod
- Check pod has no more
K8S_SECRET_*
base env vars
RESULT: If secret is updated without any code change, then pods will not be terminated. The running pods will not have updated env vars.
I'm not sure it is even desirable for ENV
to change for a running pod.
Created followup in https://gitlab.com/gitlab-org/gitlab-ce/issues/55540
Scenario 5:
- Update
K8S_SECRET_*
variable - Change some code
- Check Auto DevOps deploy succeed
- Check
secret
is updated - Check env vars in pod has new values
Scenario 6:
- Remove all
K8S_SECRET_*
variables - Change some code
- Check Auto DevOps deploy succeed
- Check
secret
is updated - Check pod has no more
K8S_SECRET_*
base env vars
Stopping review app now removes the review app secret:
$ delete
release "review-hello-bran-ex0z0c" deleted
secret "review-hello-bran-ex0z0c-secret" deleted
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23970 -
Tests added for this feature/bug -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides - [-] Conforms to the database guides
- [-] Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
- [-] Security reports checked/validated by reviewer