Skip to content

Commit

Permalink
refactor: move the secret creation after the pod is created
Browse files Browse the repository at this point in the history 
The final implementation comes from the following design decision:
Only create the secret once the pod is ready so we reduce the surface
were sensitive data is managed and avoid its management if the pod fails
for some reason.
  • Loading branch information
@sgaist
sgaist committed Dec 5, 2022
1 parent 274e525 commit a81abe3
Showing 1 changed file with 15 additions and 24 deletions.
39 changes: 15 additions & 24 deletions binderhub/build.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -382,20 +382,6 @@ def submit(self):

env = []
if self.git_credentials:
secret = client.V1Secret(
metadata=client.V1ObjectMeta(
name=self.name,
labels={
"name": self.name,
"component": self._component_label,
},
),
string_data={"credentials": self.git_credentials},
type="Opaque",
)

self.api.create_namespaced_secret(self.namespace, secret)

secret_key_ref = client.V1SecretKeySelector(
name=self.name, key="credentials", optional=False
)
Expand Down Expand Up @@ -511,16 +497,21 @@ def submit(self):
name=self.pod.metadata.name,
uid=self.pod.metadata.uid,
)
self.api.patch_namespaced_secret(
namespace=self.namespace,
name=self.pod.metadata.name,
body=[
{
"op": "replace",
"path": "/metadata/ownerReferences",
"value": [owner_reference],
}
],
secret = client.V1Secret(
metadata=client.V1ObjectMeta(
name=self.name,
labels={
"name": self.name,
"component": self._component_label,
},
owner_references=[owner_reference],
),
string_data={"credentials": self.git_credentials},
type="Opaque",
)

self.api.create_namespaced_secret(
self.namespace, secret
)
self.progress(
ProgressEvent.Kind.BUILD_STATUS_CHANGE,
Expand Down

0 comments on commit a81abe3

Please sign in to comment.