Add container recipes #67
Conversation
sk593
force-pushed
the
containers-recipe
branch
from
877d8b4 to
394ffad
Compare
| '/planes/kubernetes/local/namespaces/${context.runtime.kubernetes.namespace}/providers/core/Secret/${secretName}' | ||
| ] | ||
| values: { | ||
| secretName: secretName |
There was a problem hiding this comment.
Does secretName need to be added to the Secrets resource type definition as a read only property?
There was a problem hiding this comment.
It was added here because the container needed the name of the secret in order to connect. This can be reverted for now until we add a secrets connection
| locals { | ||
| resource_name = var.context.resource.name | ||
| namespace = var.context.runtime.kubernetes.namespace | ||
| application_name = var.context.application != null ? var.context.application.name : "" |
There was a problem hiding this comment.
application is a required property. Do you need to be checking for null here?
| # Connections - Extract secret connections from Radius.Security/secrets resources | ||
| connections = try(var.context.resource.connections, {}) | ||
| secret_connections = { | ||
| for name, conn in local.connections : name => conn | ||
| if try(conn.status.computedValues.secretName, null) != null | ||
| } | ||
| secret_names = [for name, conn in local.secret_connections : conn.status.computedValues.secretName] |
There was a problem hiding this comment.
Can you explain this in more detail in the comments. I'm not able to parse what this is doing and why.
| labels = { | ||
| resource = local.resource_name | ||
| app = local.application_name | ||
| "radapp.io/application" = local.application_name | ||
| "app.kubernetes.io/name" = local.normalized_name |
There was a problem hiding this comment.
We agreed to these standardized labels:
radapp.io/resource
radapp.io/resource-type
radapp.io/application
radapp.io/environment
radapp.io/resource-group
radapp.io/recipe-pack
| dynamic "value_from" { | ||
| for_each = env.value.value_from != null ? [env.value.value_from] : [] | ||
| content { | ||
| dynamic "secret_key_ref" { | ||
| for_each = try(value_from.value.secretKeyRef, null) != null ? [value_from.value.secretKeyRef] : [] | ||
| content { | ||
| name = secret_key_ref.value.name | ||
| key = secret_key_ref.value.key | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| # Environment variables from connected secrets (Radius.Security/secrets) | ||
| dynamic "env_from" { | ||
| for_each = local.secret_names | ||
| content { | ||
| secret_ref { | ||
| name = env_from.value | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
I don't think we're handling secrets correctly. This assumes secrets are only stored in Kubernetes. When the majority of secrets will be in Azure Key Vault or HashiCorp Vault.
| # Init containers | ||
| dynamic "init_container" { | ||
| for_each = local.init_container_specs |
There was a problem hiding this comment.
Is is possible to de-duplicate init and regular containers since they have the same schema? This would simplify the recipe significantly.
Compute/containers/test/app.bicep
Outdated
| } | ||
| } | ||
| } | ||
| connections: { |
There was a problem hiding this comment.
add connections to volumes, persistent volumes, and remove secrets until rework is done
Signed-off-by: sk593 <[email protected]>
Signed-off-by: sk593 <[email protected]>
Signed-off-by: sk593 <[email protected]>
sk593
force-pushed
the
containers-recipe
branch
4 times, most recently
from
4cf163b to
90eb691
Compare
Signed-off-by: sk593 <[email protected]>
sk593
force-pushed
the
containers-recipe
branch
from
90eb691 to
0796afe
Compare
2 participants
Description
Adding container recipes for the Radius.Compute/container type.
Related GitHub Issue:
Testing
Contributor Checklist
rad resource-type showis correctenum: []required: []for every object property (not just the top-level properties)readOnly: true