feat: inject env vars into pod spec via Krane

Author: Flo4604

apps/dashboard/gen/proto/krane/v1/deployment_pb.ts

@@ -2,18 +2,15 @@
 // @generated from file krane/v1/deployment.proto (package krane.v1, syntax proto3)
 /* eslint-disable */
 
-import type { Message } from "@bufbuild/protobuf";
 import type { GenEnum, GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv2";
 import { enumDesc, fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv2";
+import type { Message } from "@bufbuild/protobuf";
 
 /**
  * Describes the file krane/v1/deployment.proto.
  */
-export const file_krane_v1_deployment: GenFile =
-  /*@__PURE__*/
-  fileDesc(
-    "ChlrcmFuZS92MS9kZXBsb3ltZW50LnByb3RvEghrcmFuZS52MSKPAQoRRGVwbG95bWVudFJlcXVlc3QSEQoJbmFtZXNwYWNlGAEgASgJEhUKDWRlcGxveW1lbnRfaWQYAiABKAkSDQoFaW1hZ2UYAyABKAkSEAoIcmVwbGljYXMYBCABKA0SFgoOY3B1X21pbGxpY29yZXMYBSABKA0SFwoPbWVtb3J5X3NpemVfbWliGAYgASgEIkoKF0NyZWF0ZURlcGxveW1lbnRSZXF1ZXN0Ei8KCmRlcGxveW1lbnQYASABKAsyGy5rcmFuZS52MS5EZXBsb3ltZW50UmVxdWVzdCJGChhDcmVhdGVEZXBsb3ltZW50UmVzcG9uc2USKgoGc3RhdHVzGAEgASgOMhoua3JhbmUudjEuRGVwbG95bWVudFN0YXR1cyJKChdVcGRhdGVEZXBsb3ltZW50UmVxdWVzdBIvCgpkZXBsb3ltZW50GAEgASgLMhsua3JhbmUudjEuRGVwbG95bWVudFJlcXVlc3QiKwoYVXBkYXRlRGVwbG95bWVudFJlc3BvbnNlEg8KB3BvZF9pZHMYASADKAkiQwoXRGVsZXRlRGVwbG95bWVudFJlcXVlc3QSEQoJbmFtZXNwYWNlGAEgASgJEhUKDWRlcGxveW1lbnRfaWQYAiABKAkiGgoYRGVsZXRlRGVwbG95bWVudFJlc3BvbnNlIkAKFEdldERlcGxveW1lbnRSZXF1ZXN0EhEKCW5hbWVzcGFjZRgBIAEoCRIVCg1kZXBsb3ltZW50X2lkGAIgASgJIj4KFUdldERlcGxveW1lbnRSZXNwb25zZRIlCglpbnN0YW5jZXMYAiADKAsyEi5rcmFuZS52MS5JbnN0YW5jZSJTCghJbnN0YW5jZRIKCgJpZBgBIAEoCRIPCgdhZGRyZXNzGAIgASgJEioKBnN0YXR1cxgDIAEoDjIaLmtyYW5lLnYxLkRlcGxveW1lbnRTdGF0dXMqlgEKEERlcGxveW1lbnRTdGF0dXMSIQodREVQTE9ZTUVOVF9TVEFUVVNfVU5TUEVDSUZJRUQQABIdChlERVBMT1lNRU5UX1NUQVRVU19QRU5ESU5HEAESHQoZREVQTE9ZTUVOVF9TVEFUVVNfUlVOTklORxACEiEKHURFUExPWU1FTlRfU1RBVFVTX1RFUk1JTkFUSU5HEAMymwIKEURlcGxveW1lbnRTZXJ2aWNlElkKEENyZWF0ZURlcGxveW1lbnQSIS5rcmFuZS52MS5DcmVhdGVEZXBsb3ltZW50UmVxdWVzdBoiLmtyYW5lLnYxLkNyZWF0ZURlcGxveW1lbnRSZXNwb25zZRJQCg1HZXREZXBsb3ltZW50Eh4ua3JhbmUudjEuR2V0RGVwbG95bWVudFJlcXVlc3QaHy5rcmFuZS52MS5HZXREZXBsb3ltZW50UmVzcG9uc2USWQoQRGVsZXRlRGVwbG95bWVudBIhLmtyYW5lLnYxLkRlbGV0ZURlcGxveW1lbnRSZXF1ZXN0GiIua3JhbmUudjEuRGVsZXRlRGVwbG95bWVudFJlc3BvbnNlQpgBCgxjb20ua3JhbmUudjFCD0RlcGxveW1lbnRQcm90b1ABWjZnaXRodWIuY29tL3Vua2V5ZWQvdW5rZXkvZ28vZ2VuL3Byb3RvL2tyYW5lL3YxO2tyYW5ldjGiAgNLWFiqAghLcmFuZS5WMcoCCEtyYW5lXFYx4gIUS3JhbmVcVjFcR1BCTWV0YWRhdGHqAglLcmFuZTo6VjFiBnByb3RvMw",
-  );
+export const file_krane_v1_deployment: GenFile = /*@__PURE__*/
+  fileDesc("ChlrcmFuZS92MS9kZXBsb3ltZW50LnByb3RvEghrcmFuZS52MSL7AQoRRGVwbG95bWVudFJlcXVlc3QSEQoJbmFtZXNwYWNlGAEgASgJEhUKDWRlcGxveW1lbnRfaWQYAiABKAkSDQoFaW1hZ2UYAyABKAkSEAoIcmVwbGljYXMYBCABKA0SFgoOY3B1X21pbGxpY29yZXMYBSABKA0SFwoPbWVtb3J5X3NpemVfbWliGAYgASgEEjoKCGVudl92YXJzGAcgAygLMigua3JhbmUudjEuRGVwbG95bWVudFJlcXVlc3QuRW52VmFyc0VudHJ5Gi4KDEVudlZhcnNFbnRyeRILCgNrZXkYASABKAkSDQoFdmFsdWUYAiABKAk6AjgBIkoKF0NyZWF0ZURlcGxveW1lbnRSZXF1ZXN0Ei8KCmRlcGxveW1lbnQYASABKAsyGy5rcmFuZS52MS5EZXBsb3ltZW50UmVxdWVzdCJGChhDcmVhdGVEZXBsb3ltZW50UmVzcG9uc2USKgoGc3RhdHVzGAEgASgOMhoua3JhbmUudjEuRGVwbG95bWVudFN0YXR1cyJKChdVcGRhdGVEZXBsb3ltZW50UmVxdWVzdBIvCgpkZXBsb3ltZW50GAEgASgLMhsua3JhbmUudjEuRGVwbG95bWVudFJlcXVlc3QiKwoYVXBkYXRlRGVwbG95bWVudFJlc3BvbnNlEg8KB3BvZF9pZHMYASADKAkiQwoXRGVsZXRlRGVwbG95bWVudFJlcXVlc3QSEQoJbmFtZXNwYWNlGAEgASgJEhUKDWRlcGxveW1lbnRfaWQYAiABKAkiGgoYRGVsZXRlRGVwbG95bWVudFJlc3BvbnNlIkAKFEdldERlcGxveW1lbnRSZXF1ZXN0EhEKCW5hbWVzcGFjZRgBIAEoCRIVCg1kZXBsb3ltZW50X2lkGAIgASgJIj4KFUdldERlcGxveW1lbnRSZXNwb25zZRIlCglpbnN0YW5jZXMYAiADKAsyEi5rcmFuZS52MS5JbnN0YW5jZSJTCghJbnN0YW5jZRIKCgJpZBgBIAEoCRIPCgdhZGRyZXNzGAIgASgJEioKBnN0YXR1cxgDIAEoDjIaLmtyYW5lLnYxLkRlcGxveW1lbnRTdGF0dXMqlgEKEERlcGxveW1lbnRTdGF0dXMSIQodREVQTE9ZTUVOVF9TVEFUVVNfVU5TUEVDSUZJRUQQABIdChlERVBMT1lNRU5UX1NUQVRVU19QRU5ESU5HEAESHQoZREVQTE9ZTUVOVF9TVEFUVVNfUlVOTklORxACEiEKHURFUExPWU1FTlRfU1RBVFVTX1RFUk1JTkFUSU5HEAMymwIKEURlcGxveW1lbnRTZXJ2aWNlElkKEENyZWF0ZURlcGxveW1lbnQSIS5rcmFuZS52MS5DcmVhdGVEZXBsb3ltZW50UmVxdWVzdBoiLmtyYW5lLnYxLkNyZWF0ZURlcGxveW1lbnRSZXNwb25zZRJQCg1HZXREZXBsb3ltZW50Eh4ua3JhbmUudjEuR2V0RGVwbG95bWVudFJlcXVlc3QaHy5rcmFuZS52MS5HZXREZXBsb3ltZW50UmVzcG9uc2USWQoQRGVsZXRlRGVwbG95bWVudBIhLmtyYW5lLnYxLkRlbGV0ZURlcGxveW1lbnRSZXF1ZXN0GiIua3JhbmUudjEuRGVsZXRlRGVwbG95bWVudFJlc3BvbnNlQpgBCgxjb20ua3JhbmUudjFCD0RlcGxveW1lbnRQcm90b1ABWjZnaXRodWIuY29tL3Vua2V5ZWQvdW5rZXkvZ28vZ2VuL3Byb3RvL2tyYW5lL3YxO2tyYW5ldjGiAgNLWFiqAghLcmFuZS5WMcoCCEtyYW5lXFYx4gIUS3JhbmVcVjFcR1BCTWV0YWRhdGHqAglLcmFuZTo6VjFiBnByb3RvMw");
 
 /**
  * @generated from message krane.v1.DeploymentRequest
@@ -48,14 +45,21 @@ export type DeploymentRequest = Message<"krane.v1.DeploymentRequest"> & {
    * @generated from field: uint64 memory_size_mib = 6;
    */
   memorySizeMib: bigint;
+
+  /**
+   * Environment variables to inject into the container.
+   * Keys are variable names, values are the (decrypted) values.
+   *
+   * @generated from field: map<string, string> env_vars = 7;
+   */
+  envVars: { [key: string]: string };
 };
 
 /**
  * Describes the message krane.v1.DeploymentRequest.
  * Use `create(DeploymentRequestSchema)` to create a new message.
  */
-export const DeploymentRequestSchema: GenMessage<DeploymentRequest> =
-  /*@__PURE__*/
+export const DeploymentRequestSchema: GenMessage<DeploymentRequest> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 0);
 
 /**
@@ -72,8 +76,7 @@ export type CreateDeploymentRequest = Message<"krane.v1.CreateDeploymentRequest"
  * Describes the message krane.v1.CreateDeploymentRequest.
  * Use `create(CreateDeploymentRequestSchema)` to create a new message.
  */
-export const CreateDeploymentRequestSchema: GenMessage<CreateDeploymentRequest> =
-  /*@__PURE__*/
+export const CreateDeploymentRequestSchema: GenMessage<CreateDeploymentRequest> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 1);
 
 /**
@@ -90,8 +93,7 @@ export type CreateDeploymentResponse = Message<"krane.v1.CreateDeploymentRespons
  * Describes the message krane.v1.CreateDeploymentResponse.
  * Use `create(CreateDeploymentResponseSchema)` to create a new message.
  */
-export const CreateDeploymentResponseSchema: GenMessage<CreateDeploymentResponse> =
-  /*@__PURE__*/
+export const CreateDeploymentResponseSchema: GenMessage<CreateDeploymentResponse> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 2);
 
 /**
@@ -108,8 +110,7 @@ export type UpdateDeploymentRequest = Message<"krane.v1.UpdateDeploymentRequest"
  * Describes the message krane.v1.UpdateDeploymentRequest.
  * Use `create(UpdateDeploymentRequestSchema)` to create a new message.
  */
-export const UpdateDeploymentRequestSchema: GenMessage<UpdateDeploymentRequest> =
-  /*@__PURE__*/
+export const UpdateDeploymentRequestSchema: GenMessage<UpdateDeploymentRequest> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 3);
 
 /**
@@ -126,8 +127,7 @@ export type UpdateDeploymentResponse = Message<"krane.v1.UpdateDeploymentRespons
  * Describes the message krane.v1.UpdateDeploymentResponse.
  * Use `create(UpdateDeploymentResponseSchema)` to create a new message.
  */
-export const UpdateDeploymentResponseSchema: GenMessage<UpdateDeploymentResponse> =
-  /*@__PURE__*/
+export const UpdateDeploymentResponseSchema: GenMessage<UpdateDeploymentResponse> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 4);
 
 /**
@@ -149,21 +149,20 @@ export type DeleteDeploymentRequest = Message<"krane.v1.DeleteDeploymentRequest"
  * Describes the message krane.v1.DeleteDeploymentRequest.
  * Use `create(DeleteDeploymentRequestSchema)` to create a new message.
  */
-export const DeleteDeploymentRequestSchema: GenMessage<DeleteDeploymentRequest> =
-  /*@__PURE__*/
+export const DeleteDeploymentRequestSchema: GenMessage<DeleteDeploymentRequest> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 5);
 
 /**
  * @generated from message krane.v1.DeleteDeploymentResponse
  */
-export type DeleteDeploymentResponse = Message<"krane.v1.DeleteDeploymentResponse"> & {};
+export type DeleteDeploymentResponse = Message<"krane.v1.DeleteDeploymentResponse"> & {
+};
 
 /**
  * Describes the message krane.v1.DeleteDeploymentResponse.
  * Use `create(DeleteDeploymentResponseSchema)` to create a new message.
  */
-export const DeleteDeploymentResponseSchema: GenMessage<DeleteDeploymentResponse> =
-  /*@__PURE__*/
+export const DeleteDeploymentResponseSchema: GenMessage<DeleteDeploymentResponse> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 6);
 
 /**
@@ -185,8 +184,7 @@ export type GetDeploymentRequest = Message<"krane.v1.GetDeploymentRequest"> & {
  * Describes the message krane.v1.GetDeploymentRequest.
  * Use `create(GetDeploymentRequestSchema)` to create a new message.
  */
-export const GetDeploymentRequestSchema: GenMessage<GetDeploymentRequest> =
-  /*@__PURE__*/
+export const GetDeploymentRequestSchema: GenMessage<GetDeploymentRequest> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 7);
 
 /**
@@ -203,8 +201,7 @@ export type GetDeploymentResponse = Message<"krane.v1.GetDeploymentResponse"> &
  * Describes the message krane.v1.GetDeploymentResponse.
  * Use `create(GetDeploymentResponseSchema)` to create a new message.
  */
-export const GetDeploymentResponseSchema: GenMessage<GetDeploymentResponse> =
-  /*@__PURE__*/
+export const GetDeploymentResponseSchema: GenMessage<GetDeploymentResponse> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 8);
 
 /**
@@ -231,8 +228,7 @@ export type Instance = Message<"krane.v1.Instance"> & {
  * Describes the message krane.v1.Instance.
  * Use `create(InstanceSchema)` to create a new message.
  */
-export const InstanceSchema: GenMessage<Instance> =
-  /*@__PURE__*/
+export const InstanceSchema: GenMessage<Instance> = /*@__PURE__*/
   messageDesc(file_krane_v1_deployment, 9);
 
 /**
@@ -269,8 +265,7 @@ export enum DeploymentStatus {
 /**
  * Describes the enum krane.v1.DeploymentStatus.
  */
-export const DeploymentStatusSchema: GenEnum<DeploymentStatus> =
-  /*@__PURE__*/
+export const DeploymentStatusSchema: GenEnum<DeploymentStatus> = /*@__PURE__*/
   enumDesc(file_krane_v1_deployment, 0);
 
 /**
@@ -286,7 +281,7 @@ export const DeploymentService: GenService<{
     methodKind: "unary";
     input: typeof CreateDeploymentRequestSchema;
     output: typeof CreateDeploymentResponseSchema;
-  };
+  },
   /**
    * GetDeployment
    *
@@ -296,7 +291,7 @@ export const DeploymentService: GenService<{
     methodKind: "unary";
     input: typeof GetDeploymentRequestSchema;
     output: typeof GetDeploymentResponseSchema;
-  };
+  },
   /**
    * DeleteDeployment
    *
@@ -306,5 +301,7 @@ export const DeploymentService: GenService<{
     methodKind: "unary";
     input: typeof DeleteDeploymentRequestSchema;
     output: typeof DeleteDeploymentResponseSchema;
-  };
-}> = /*@__PURE__*/ serviceDesc(file_krane_v1_deployment, 0);
+  },
+}> = /*@__PURE__*/
+  serviceDesc(file_krane_v1_deployment, 0);
+

go/apps/krane/backend/docker/deployment_create.go

@@ -47,6 +47,14 @@ func (d *docker) CreateDeployment(ctx context.Context, req *connect.Request[kran
 	cpuNanos := int64(deployment.GetCpuMillicores()) * 1_000_000      // Convert millicores to nanoseconds
 	memoryBytes := int64(deployment.GetMemorySizeMib()) * 1024 * 1024 //nolint:gosec // Intentional conversion
 
+	// Build environment variables list
+	env := []string{
+		fmt.Sprintf("DEPLOYMENT_ID=%s", deployment.GetDeploymentId()),
+	}
+	for k, v := range deployment.GetEnvVars() {
+		env = append(env, fmt.Sprintf("%s=%s", k, v))
+	}
+
 	//nolint:exhaustruct // Docker SDK types have many optional fields
 	containerConfig := &container.Config{
 		Image: deployment.GetImage(),
@@ -55,9 +63,7 @@ func (d *docker) CreateDeployment(ctx context.Context, req *connect.Request[kran
 			"unkey.managed.by":    "krane",
 		},
 		ExposedPorts: exposedPorts,
-		Env: []string{
-			fmt.Sprintf("DEPLOYMENT_ID=%s", deployment.GetDeploymentId()),
-		},
+		Env:          env,
 	}
 
 	//nolint:exhaustruct // Docker SDK types have many optional fields

go/apps/krane/backend/kubernetes/deployment_create.go

@@ -156,6 +156,9 @@ func (k *k8s) CreateDeployment(ctx context.Context, req *connect.Request[kranev1
 						Annotations: map[string]string{},
 					},
 					Spec: corev1.PodSpec{
+						// Use a restricted service account with no API access
+						ServiceAccountName:           "customer-workload",
+						AutomountServiceAccountToken: ptr.P(false),
 
 						ImagePullSecrets: func() []corev1.LocalObjectReference {
 							// Only add imagePullSecrets if using Depot registry
@@ -179,6 +182,20 @@ func (k *k8s) CreateDeployment(ctx context.Context, req *connect.Request[kranev1
 										Protocol:      corev1.ProtocolTCP,
 									},
 								},
+								Env: func() []corev1.EnvVar {
+									envVars := req.Msg.GetDeployment().GetEnvVars()
+									if len(envVars) == 0 {
+										return nil
+									}
+									env := make([]corev1.EnvVar, 0, len(envVars))
+									for k, v := range envVars {
+										env = append(env, corev1.EnvVar{
+											Name:  k,
+											Value: v,
+										})
+									}
+									return env
+								}(),
 								Resources: corev1.ResourceRequirements{
 									// nolint: exhaustive
 									Requests: corev1.ResourceList{

go/gen/proto/krane/v1/deployment.pb.go

@@ -24,6 +24,10 @@ message DeploymentRequest {
   uint32 replicas = 4;
   uint32 cpu_millicores = 5;
   uint64 memory_size_mib = 6;
+
+  // Environment variables to inject into the container.
+  // Keys are variable names, values are the (decrypted) values.
+  map<string, string> env_vars = 7;
 }
 
 message CreateDeploymentRequest {