// createSecretsUnit creates a unit used to extract secrets from vault
func (e *dockerEngine) createSecretsExecStartPre(t *jobs.Task, containerImage string, env map[string]string, scalingGroup uint) ([]cmdline.Cmdline, error) {
if len(t.Secrets) == 0 {
// No secrets to extract
return nil, nil
}
// Create all secret extraction commands
jobID := t.JobID()
if jobID == "" {
return nil, maskAny(fmt.Errorf("job ID missing for job %s with secrets", t.JobName()))
}
// Prepare volume paths
secretsRoot := secretsRootPath(t, scalingGroup)
secretsRootVol := fmt.Sprintf("%s:%s", secretsRoot, secretsRoot)
vaultCrtVol := "/etc/pulcy/vault.crt:/etc/pulcy/vault.crt:ro"
clusterIdVol := "/etc/pulcy/cluster-id:/etc/pulcy/cluster-id:ro"
machineIdVol := "/etc/machine-id:/etc/machine-id:ro"
var cmds []cmdline.Cmdline
cmds = append(cmds,
*cmdline.New(nil, "/usr/bin/mkdir", "-p", secretsRoot),
e.pullCmd(containerImage),
)
envPaths := []string{}
for _, secret := range t.Secrets {
if ok, _ := secret.TargetFile(); ok {
targetPath, err := secretFilePath(t, scalingGroup, secret)
if err != nil {
return nil, maskAny(err)
}
var cmd cmdline.Cmdline
cmd.Add(nil, e.dockerPath, "run", "--rm")
//cmd.Add(env, fmt.Sprintf("--name %s-sc", t.containerName(ctx.ScalingGroup)))
cmd.Add(env, "--net=host")
cmd.Add(env, "-v "+secretsRootVol)
cmd.Add(env, "-v "+vaultCrtVol)
cmd.Add(env, "-v "+clusterIdVol)
cmd.Add(env, "-v "+machineIdVol)
cmd.Add(env, "--env-file /etc/pulcy/vault.env")
/*if ctx.DockerOptions.EnvFile != "" {
cmd.Add(env,fmt.Sprintf("--env-file=%s", ctx.DockerOptions.EnvFile))
}*/
for _, arg := range t.LogDriver.CreateDockerLogArgs(e.options) {
cmd.Add(env, arg)
}
cmd.Add(env, containerImage)
cmd.Add(nil, "extract", "file")
cmd.Add(env, "--target "+targetPath)
cmd.Add(env, "--job-id "+jobID)
cmd.Add(env, secret.VaultPath())
cmds = append(cmds, cmd)
} else if ok, environmentKey := secret.TargetEnviroment(); ok {
envPaths = append(envPaths, fmt.Sprintf("%s=%s", environmentKey, secret.VaultPath()))
}
}
if len(envPaths) > 0 {
targetPath := secretEnvironmentPath(t, scalingGroup)
var cmd cmdline.Cmdline
cmd.Add(nil, e.dockerPath, "run", "--rm")
//cmd.Add(env, fmt.Sprintf("--name %s-sc", t.containerName(ctx.ScalingGroup)))
cmd.Add(env, "--net=host")
cmd.Add(env, "-v "+secretsRootVol)
cmd.Add(env, "-v "+vaultCrtVol)
cmd.Add(env, "-v "+clusterIdVol)
cmd.Add(env, "-v "+machineIdVol)
cmd.Add(env, "--env-file /etc/pulcy/vault.env")
/*if ctx.DockerOptions.EnvFile != "" {
cmd.Add(env, fmt.Sprintf("--env-file=%s", ctx.DockerOptions.EnvFile))
}*/
for _, arg := range t.LogDriver.CreateDockerLogArgs(e.options) {
cmd.Add(env, arg)
}
cmd.Add(env, containerImage)
cmd.Add(nil, "extract", "env")
cmd.Add(env, "--target "+targetPath)
cmd.Add(env, "--job-id "+jobID)
for _, envPath := range envPaths {
cmd.Add(env, envPath)
}
cmds = append(cmds, cmd)
}
return cmds, nil
}
// CreateFleetAfter creates a list of unit names to add to the `After` setting of each unit of the given task.
func addFleetOptions(t *jobs.Task, fleetOptions cluster.FleetOptions, unit *sdunits.Unit) {
jobName := t.JobName()
unit.ExecOptions.After(excludeUnitsOfJob(jobName, fleetOptions.After)...)
unit.ExecOptions.Want(excludeUnitsOfJob(jobName, fleetOptions.Wants)...)
unit.ExecOptions.Require(excludeUnitsOfJob(jobName, fleetOptions.Requires)...)
}
