attempt to create kubernetes secrets to obscure credentials

grallewellyn · grallewellyn · commit a732753ac29d · 2025-06-30T16:54:19.000-07:00
diff --git a/airflow/dags/appgen_dag.py b/airflow/dags/appgen_dag.py
@@ -25,6 +25,10 @@
     build_ec2_type_label,
     get_affinity,
 )
+from kubernetes import client as k8s_client_lib
+from kubernetes import config as k8s_config_lib
+import base64
+from airflow.providers.cncf.kubernetes.secret import Secret as AirflowK8sSecret
 
 from airflow import DAG
 
@@ -39,6 +43,8 @@
 DOCKERHUB_TOKEN = "/unity/ads/app_gen/development/dockerhub_api_key"
 DOCKSTORE_TOKEN = "/unity/ads/app_gen/development/dockstore_token"
 
+K8S_SECRET_NAME = "sps-app-credentials" # Must match metadata.name in kubernetes_secret
+
 # HOST_SECRET_DIR = "/mnt/token-volume"
 # os.makedirs(HOST_SECRET_DIR, exist_ok=True)
 
@@ -110,6 +116,27 @@
     k8s.V1EnvVar(name="GITHUB_REPO", value="{{ params.repository }}"),
 ]
 
+secret_env_vars = [
+    AirflowK8sSecret(
+        deploy_type='env',                              # Expose as environment variable
+        deploy_target='DOCKERHUB_USERNAME_IN_POD',      # Name of the ENV VAR inside your pod
+        secret=K8S_SECRET_NAME,                         # Name of the K8s Secret
+        key='DOCKERHUB_USERNAME'                        # Key in the K8s Secret's data field
+    ),
+    AirflowK8sSecret(
+        deploy_type='env',
+        deploy_target='DOCKERHUB_TOKEN_IN_POD',
+        secret=K8S_SECRET_NAME,
+        key='DOCKERHUB_TOKEN'
+    ),
+    AirflowK8sSecret(
+        deploy_type='env',
+        deploy_target='DOCKSTORE_TOKEN_IN_POD',
+        secret=K8S_SECRET_NAME,
+        key='DOCKSTORE_TOKEN'
+    )
+]
+
 def setup(ti=None, **context):
     """
     Task that selects the proper Karpenter Node Pool depending on the user requested resources.
@@ -195,6 +222,7 @@ def setup(ti=None, **context):
     #         )
     #     )
     # ],
+    secrets=[secret_env_vars],
     volume_mounts=[
         k8s.V1VolumeMount(name="token-volume", mount_path="/")
     ],
diff --git a/terraform-unity/main.tf b/terraform-unity/main.tf
@@ -14,6 +14,37 @@ resource "kubernetes_namespace" "service_area" {
   }
 }
 
+data "aws_ssm_parameter" "dockerhub_username" {
+  name = "/unity/ads/app_gen/development/dockerhub_username"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "dockerhub_api_key" {
+  name = "/unity/ads/app_gen/development/dockerhub_api_key"
+  with_decryption = true
+}
+
+data "aws_ssm_parameter" "dockstore_token" {
+  name = "/unity/ads/app_gen/development/dockstore_token"
+  with_decryption = true
+}
+
+resource "kubernetes_secret" "sps_app_credentials" {
+  metadata {
+    name      = sps_app_credentials
+    namespace = kubernetes_namespace.service_area.metadata[0].name
+  }
+  # Use 'string_data' for raw string values. Terraform will automatically base64 encode them.
+  # The keys here (e.g., "DOCKERHUB_USERNAME") are what you will reference in your Airflow DAG.
+  string_data = {
+    "DOCKERHUB_USERNAME" = data.aws_ssm_parameter.dockerhub_username.value
+    "DOCKERHUB_TOKEN"    = data.aws_ssm_parameter.dockerhub_api_key.value
+    "DOCKSTORE_TOKEN"    = data.aws_ssm_parameter.dockstore_token.value
+  }
+
+  type = "Opaque" # Default type, suitable for credentials
+}
+
 module "unity-sps-database" {
   source       = "./modules/terraform-unity-sps-database"
   project      = var.project
