Skip to content

Commit a81abe3

Browse files
sgaistsgaist
committed
refactor: move the secret creation after the pod is created
The final implementation comes from the following design decision: Only create the secret once the pod is ready so we reduce the surface were sensitive data is managed and avoid its management if the pod fails for some reason.
1 parent 274e525 commit a81abe3

File tree

1 file changed

+15
-24
lines changed

1 file changed

+15
-24
lines changed

binderhub/build.py

Lines changed: 15 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -382,20 +382,6 @@ def submit(self):
382382

383383
env = []
384384
if self.git_credentials:
385-
secret = client.V1Secret(
386-
metadata=client.V1ObjectMeta(
387-
name=self.name,
388-
labels={
389-
"name": self.name,
390-
"component": self._component_label,
391-
},
392-
),
393-
string_data={"credentials": self.git_credentials},
394-
type="Opaque",
395-
)
396-
397-
self.api.create_namespaced_secret(self.namespace, secret)
398-
399385
secret_key_ref = client.V1SecretKeySelector(
400386
name=self.name, key="credentials", optional=False
401387
)
@@ -511,16 +497,21 @@ def submit(self):
511497
name=self.pod.metadata.name,
512498
uid=self.pod.metadata.uid,
513499
)
514-
self.api.patch_namespaced_secret(
515-
namespace=self.namespace,
516-
name=self.pod.metadata.name,
517-
body=[
518-
{
519-
"op": "replace",
520-
"path": "/metadata/ownerReferences",
521-
"value": [owner_reference],
522-
}
523-
],
500+
secret = client.V1Secret(
501+
metadata=client.V1ObjectMeta(
502+
name=self.name,
503+
labels={
504+
"name": self.name,
505+
"component": self._component_label,
506+
},
507+
owner_references=[owner_reference],
508+
),
509+
string_data={"credentials": self.git_credentials},
510+
type="Opaque",
511+
)
512+
513+
self.api.create_namespaced_secret(
514+
self.namespace, secret
524515
)
525516
self.progress(
526517
ProgressEvent.Kind.BUILD_STATUS_CHANGE,

0 commit comments

Comments
 (0)