Support for cross-project secrets for GCP (flyteorg#582)

* Support for cross-project secrets for GCP Signed-off-by: Jeev B <[email protected]> * Bump flyteplugins version (flyteorg#581) Signed-off-by: Kevin Su <[email protected]> Signed-off-by: Jeev B <[email protected]> --------- Signed-off-by: Jeev B <[email protected]> Signed-off-by: Kevin Su <[email protected]> Co-authored-by: Kevin Su <[email protected]>
eapolinario · Jun 30, 2023 · 1541ae5 · 1541ae5
1 parent d181df7
commit 1541ae5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 17 deletions.
diff --git a/pkg/webhook/gcp_secret_manager.go b/pkg/webhook/gcp_secret_manager.go
@@ -42,24 +42,14 @@ func formatGCPSecretAccessCommand(secret *core.Secret) []string {
 	// users, so we fix the file permissions with `chmod`.
 	secretDir := strings.ToLower(filepath.Join(GCPSecretMountPath, secret.Group))
 	secretPath := strings.ToLower(filepath.Join(secretDir, secret.GroupVersion))
-	args := []string{
-		"gcloud",
-		"secrets",
-		"versions",
-		"access",
+	args := fmt.Sprintf(
+		"gcloud secrets versions access %[1]s/versions/%[2]s --out-file=%[4]s || gcloud secrets versions access %[2]s --secret=%[1]s --out-file=%[4]s; chmod +rX %[3]s %[4]s",
+		secret.Group,
 		secret.GroupVersion,
-		fmt.Sprintf("--secret=%s", secret.Group),
-		fmt.Sprintf(
-			"--out-file=%s",
-			secretPath,
-		),
-		"&&",
-		"chmod",
-		"+rX",
 		secretDir,
 		secretPath,
-	}
-	return []string{"sh", "-c", strings.Join(args, " ")}
+	)
+	return []string{"sh", "-ec", args}
 }
 
 func formatGCPInitContainerName(index int) string {

diff --git a/pkg/webhook/gcp_secret_manager_test.go b/pkg/webhook/gcp_secret_manager_test.go
@@ -39,8 +39,8 @@ func TestGCPSecretManagerInjector_Inject(t *testing.T) {
 					Image: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine",
 					Command: []string{
 						"sh",
-						"-c",
-						"gcloud secrets versions access 2 --secret=TestSecret --out-file=/etc/flyte/secrets/testsecret/2 && chmod +rX /etc/flyte/secrets/testsecret /etc/flyte/secrets/testsecret/2",
+						"-ec",
+						"gcloud secrets versions access TestSecret/versions/2 --out-file=/etc/flyte/secrets/testsecret/2 || gcloud secrets versions access 2 --secret=TestSecret --out-file=/etc/flyte/secrets/testsecret/2; chmod +rX /etc/flyte/secrets/testsecret /etc/flyte/secrets/testsecret/2",
 					},
 					Env: []corev1.EnvVar{
 						{