From a81abe3e1547b3a9024f09e3e1ce31b7eedca7d1 Mon Sep 17 00:00:00 2001 From: Samuel Gaist Date: Mon, 5 Dec 2022 17:17:21 +0100 Subject: [PATCH] refactor: move the secret creation after the pod is created The final implementation comes from the following design decision: Only create the secret once the pod is ready so we reduce the surface were sensitive data is managed and avoid its management if the pod fails for some reason. --- binderhub/build.py | 39 +++++++++++++++------------------------ 1 file changed, 15 insertions(+), 24 deletions(-) diff --git a/binderhub/build.py b/binderhub/build.py index 60f73599c..0f6de094d 100644 --- a/binderhub/build.py +++ b/binderhub/build.py @@ -382,20 +382,6 @@ def submit(self): env = [] if self.git_credentials: - secret = client.V1Secret( - metadata=client.V1ObjectMeta( - name=self.name, - labels={ - "name": self.name, - "component": self._component_label, - }, - ), - string_data={"credentials": self.git_credentials}, - type="Opaque", - ) - - self.api.create_namespaced_secret(self.namespace, secret) - secret_key_ref = client.V1SecretKeySelector( name=self.name, key="credentials", optional=False ) @@ -511,16 +497,21 @@ def submit(self): name=self.pod.metadata.name, uid=self.pod.metadata.uid, ) - self.api.patch_namespaced_secret( - namespace=self.namespace, - name=self.pod.metadata.name, - body=[ - { - "op": "replace", - "path": "/metadata/ownerReferences", - "value": [owner_reference], - } - ], + secret = client.V1Secret( + metadata=client.V1ObjectMeta( + name=self.name, + labels={ + "name": self.name, + "component": self._component_label, + }, + owner_references=[owner_reference], + ), + string_data={"credentials": self.git_credentials}, + type="Opaque", + ) + + self.api.create_namespaced_secret( + self.namespace, secret ) self.progress( ProgressEvent.Kind.BUILD_STATUS_CHANGE,