Interactive mode in interpreter sessions #44
Conversation
Bind stdin during interactive mode
|
@razvan-agape you can probably ignore |
…nd stdin Configure user in Dockerfile
Hey, @iamsaso. I had a deeper look into this and I think I found a solution for what we want to achieve. tldr, the solution was to set the process to run as 'foreground', which will bind the TTY to the child process. This way, |
|
@alexei-led can you provide some input here? |
Problem description
secrets-initcannot be used in scenarios when you need tokubectl exec -i -t <pod-name> -- /bin/sh|python3into a pod and run commands that require Secrets Manager secrets (say you want to query a DB and you need the credentials). That is becausesecrets-initis launching a new process with a dedicated process group for it and only sets stdout and stderr of the process to the "calling" process (you can see the logs/errors). Sincestdinis not connected, the process exits immediately after the process is started.When you exec into the pod, it would be nice to use secrets-init to fetch the secrets and keep the terminal console open.
Current behaviour
Say there is a running pod called
terminalin thedefaultnamespace, runningpython3image, with an env var configured:From local machine, running
kubectl exec -i -t terminal -- python3, the command opens the python interpreter but secret env vars are not populated.Running
kubectl exec -i -t terminal -- secrets-init --provider <aws/gcp> python3exits without any exit code/reason.Desired behaviour
Running
kubectl exec -i -t terminal -- secrets-init --provider <aws/gcp> python3, it would be nice to connect to the python console process and run python commands. Runningshould return the "secret" value obtained by
secrets-initfrom the cloud secrets manager.Proposed solution
This PR adds a new command line argument to
secrets-init(--interactive/-i) which will bind the launched process stdin to the "calling" process stdin.### However...The changes present in this pr are changes that worked for us (meaning that we can runsecrets-initin interactive mode and do stuff), however, there are two problems:The process fails to treat window size change events. We see this error:ERRO[0000] failed to send system signal to the process args="[python3]" error="no such process" path=/usr/local/bin/python3 pid=93 signal=SIGWINCHThe only way we managed to keep the interpreter console opened is by not switching to another GPID. And this in my opinion is breaking one of the core functions ofsecrets-initto be an init system.I would like to receive some feedback from anyone who has any idea on how to fix the above issues and get this change merged.
Update 8th of May
I managed to fix the issue with the
SIGWINCHsignal by setting the new process to run in foreground. So, in interactive mode, the only changes to the process config are:Tested this configuration on Google Kubernetes Engine
v1.27.11-gke.1062001usingkube-secrets-init:0.5.0andsecrets-initworks well. In non-interactive mode, the behaviour is the same, so backwards compatibility is not an issue. Opening a shell in the pod (kubectl -n <ns> exec -it secret-init-terminal-test -- /helper/bin/secrets-init -i --provider=google python3).Additionally, I updated the Dockerfile to run the container under a non root user.