[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Secrets and STI

Hi Vincent,
So the way for you to go is env var in a template. This is because
when we run s2i build, inside the openshift builder image we run
additional image (the s2i builder image you've specified in your
buildconfig), which does not have secrets mounted, they are mounted
only to the openshift builder image during startup procedure.
The ones you see comes from RHEL, which by default mounts secrets used
for RHEL entitlements. That's a bit convoluted explanation, but I hope
it gives you the picture behind it.


On 07/17/2015 08:35 AM, Vincent Behar wrote:
Hi guys,

I’m trying to build an app on openshift using STI, but the app requires some credentials to retrieve its dependencies from a private registry. I was thinking about using a secret for the config file that holds the credentials, but I can’t find how to access it from inside the STI builder container (in the “assemble” script).

If I understand correctly, the secret should be mounted somewhere in /var/run/secrets, but it seems like there are no volumes defined in the container config :

docker.go:350] Creating container using config: {Hostname: Domainname: User: Memory:0 MemorySwap:0 CPUShares:0 CPUSet: AttachStdin:false AttachStdout:true AttachStderr:false PortSpecs:[] ExposedPorts:map[] Tty:false OpenStdin:true StdinOnce:true Env:[OPENSHIFT_BUILD_REFERENCE=master OPENSHIFT_BUILD_NAME=... OPENSHIFT_BUILD_NAMESPACE=test OPENSHIFT_BUILD_SOURCE=...] Cmd:[/bin/sh -c tar -C /tmp -xf - && /tmp/scripts/assemble] DNS:[] Image:registry.access.redhat.com/openshift3/nodejs-010-rhel7:latest Volumes:map[] VolumesFrom: WorkingDir: MacAddress: Entrypoint:[] NetworkDisabled:false SecurityOpts:[] OnBuild:[] Labels:map[]}

And if I use a custom assemble script, and put a “find /var/run/secrets” in it, all it finds is :

I0716 13:14:32.980088       1 sti.go:388] /var/run/secrets/
I0716 13:14:32.980110       1 sti.go:388] /var/run/secrets/rhsm
I0716 13:14:32.980125       1 sti.go:388] /var/run/secrets/rhsm/rhsm.conf
I0716 13:14:32.980136       1 sti.go:388] /var/run/secrets/rhsm/ca
I0716 13:14:32.980147       1 sti.go:388] /var/run/secrets/rhsm/ca/redhat-uep.pem
I0716 13:14:32.980158       1 sti.go:388] /var/run/secrets/rhsm/ca/candlepin-stage.pem
I0716 13:14:32.980169       1 sti.go:388] /var/run/secrets/rhel7.repo
I0716 13:14:32.980178       1 sti.go:388] /var/run/secrets/etc-pki-entitlement
I0716 13:14:32.980189       1 sti.go:388] /var/run/secrets/etc-pki-entitlement/1073318989259753575.pem
I0716 13:14:32.980200       1 sti.go:388] /var/run/secrets/etc-pki-entitlement/1073318989259753575-key.pem

So is it possible to retrieve secrets from inside a STI builder container (in the assemble script) ? Or should I use env vars / templates parameters ?


users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]