FAQ | This is a LIVE service | Changelog

Commit 8a4aade6 authored by Robin Goodall's avatar Robin Goodall 💬
Browse files

Merge branch 'remove-beta-launch-stage' into 'master'

Do not enable BETA launch-stage for referencing secrets

Closes #33

See merge request !45
parents c065daf1 00bb3974
Pipeline #175027 passed with stage
in 43 seconds
......@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [4.1.4] - 2022-03-21
### Added
- Remove Beta launch stage flag that was required for referencing Secret Manager
secrets. See https://cloud.google.com/run/docs/release-notes#November_09_2021
## [4.1.3] - 2022-01-24
### Added
- Add a monitoring dashboard, defined in ./dashboard.json, for the Cloud Run service.
......
......@@ -121,8 +121,6 @@ is likely to be whitelisted within firewall configuration that lives outside of
Secret Manager secrets can be as environment variables or volume mounts (files) in the
running container.
At time of writing, this requires Cloud Run to run as BETA.
The service account that Cloud Run runs as needs access to the secrets for this feature to work.
Thus, this module gives `secretAccessor` role to that service account for the secrets passed on
`secrets_volume` and `secrets_envars`.
......
......@@ -39,12 +39,6 @@ locals {
load-balancer = "internal-and-cloud-load-balancing"
}, var.ingress_style, var.allowed_ingress)
# Do we need to enable the 'beta' launch stage - only required if certain beta
# functionality is being used, or if `enable_beta_launch_stage` is set downstream.
enable_beta_launch_stage = (
var.enable_beta_launch_stage || length(var.secrets_volume) != 0 || length(var.secrets_envars) != 0
)
# Whether we should monitor the custom domain - only possible if there are a dns names
# set and unauthenticated invocation is enabled.
can_monitor_custom_dns = length(local.dns_names) > 0 && var.allow_unauthenticated_invocations
......
......@@ -44,7 +44,7 @@ resource "google_cloud_run_service" "webapp" {
},
# Add the beta launch stage if required.
local.enable_beta_launch_stage ? {
var.enable_beta_launch_stage ? {
# Required to be able to set ingress type and secrets volume mounts
"run.googleapis.com/launch-stage" : "BETA",
} : {},
......@@ -184,7 +184,7 @@ resource "google_cloud_run_service" "webapp" {
# These are only changed when "run.googleapis.com/launch-stage" is "BETA".
# It's non-trivial to make ignore_changes dependent on input variables so
# we always ignore these annotations even if, strictly speaking, we only
# need to do so is local.enable_beta_launch_stage is true.
# need to do so is var.enable_beta_launch_stage is true.
metadata[0].annotations["serving.knative.dev/creator"],
metadata[0].annotations["serving.knative.dev/lastModifier"],
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment