[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Secrets and STI



Trello card for this feature is here: https://trello.com/c/m5bPxwh4/643-allow-to-consume-secrets-in-sti-build-build

On Fri, Jul 17, 2015 at 4:49 PM, Vincent Behar <v behar free fr> wrote:
Yes I agree : I tried the env vars solution (to inject auth token into the build container), but those env vars are then committed in the image config, thus they will be available in the container at runtime.
So even the env vars solution is not good for the moment, because it will leak build infos to the runtime environment.
In my opinion, the env vars defined in the source strategy of the build config should be restricted to the build image, and be excluded from the env being generated for the final image. What do you think ?

Vincent

> On 17 Jul 2015, at 16:31, Clayton Coleman <ccoleman redhat com> wrote:
>
> We need to put together a general proposal for how secrets are exposed to builds.  It should be possible to expose secrets into STI environments and then ensure they don't get committed into the image.  It should be possible to inject secrets into Docker builds that don't get into the image.  This is something that is important to fix, just not currently designed.
>
> On Fri, Jul 17, 2015 at 6:17 AM, Maciej Szulik <maszulik redhat com> wrote:
> Nothing that I know of ATM.
>
> Maciej
>
>
> On 07/17/2015 11:30 AM, Vincent Behar wrote:
> Ok thanks, that’s what I thought.
>
> And there are no plans for supporting secrets in STI ?
>
> Vincent
>
> On 17 Jul 2015, at 11:23, Maciej Szulik <maszulik redhat com> wrote:
>
> Hi Vincent,
> So the way for you to go is env var in a template. This is because
> when we run s2i build, inside the openshift builder image we run
> additional image (the s2i builder image you've specified in your
> buildconfig), which does not have secrets mounted, they are mounted
> only to the openshift builder image during startup procedure.
> The ones you see comes from RHEL, which by default mounts secrets used
> for RHEL entitlements. That's a bit convoluted explanation, but I hope
> it gives you the picture behind it.
>
> Maciej
>
>
> On 07/17/2015 08:35 AM, Vincent Behar wrote:
> Hi guys,
>
> I’m trying to build an app on openshift using STI, but the app requires some credentials to retrieve its dependencies from a private registry. I was thinking about using a secret for the config file that holds the credentials, but I can’t find how to access it from inside the STI builder container (in the “assemble” script).
>
> If I understand correctly, the secret should be mounted somewhere in /var/run/secrets, but it seems like there are no volumes defined in the container config :
>
> docker.go:350] Creating container using config: {Hostname: Domainname: User: Memory:0 MemorySwap:0 CPUShares:0 CPUSet: AttachStdin:false AttachStdout:true AttachStderr:false PortSpecs:[] ExposedPorts:map[] Tty:false OpenStdin:true StdinOnce:true Env:[OPENSHIFT_BUILD_REFERENCE=master OPENSHIFT_BUILD_NAME=... OPENSHIFT_BUILD_NAMESPACE=test OPENSHIFT_BUILD_SOURCE=...] Cmd:[/bin/sh -c tar -C /tmp -xf - && /tmp/scripts/assemble] DNS:[] Image:registry.access.redhat.com/openshift3/nodejs-010-rhel7:latest Volumes:map[] VolumesFrom: WorkingDir: MacAddress: Entrypoint:[] NetworkDisabled:false SecurityOpts:[] OnBuild:[] Labels:map[]}
>
> And if I use a custom assemble script, and put a “find /var/run/secrets” in it, all it finds is :
>
> I0716 13:14:32.980088       1 sti.go:388] /var/run/secrets/
> I0716 13:14:32.980110       1 sti.go:388] /var/run/secrets/rhsm
> I0716 13:14:32.980125       1 sti.go:388] /var/run/secrets/rhsm/rhsm.conf
> I0716 13:14:32.980136       1 sti.go:388] /var/run/secrets/rhsm/ca
> I0716 13:14:32.980147       1 sti.go:388] /var/run/secrets/rhsm/ca/redhat-uep.pem
> I0716 13:14:32.980158       1 sti.go:388] /var/run/secrets/rhsm/ca/candlepin-stage.pem
> I0716 13:14:32.980169       1 sti.go:388] /var/run/secrets/rhel7.repo
> I0716 13:14:32.980178       1 sti.go:388] /var/run/secrets/etc-pki-entitlement
> I0716 13:14:32.980189       1 sti.go:388] /var/run/secrets/etc-pki-entitlement/1073318989259753575.pem
> I0716 13:14:32.980200       1 sti.go:388] /var/run/secrets/etc-pki-entitlement/1073318989259753575-key.pem
>
> So is it possible to retrieve secrets from inside a STI builder container (in the assemble script) ? Or should I use env vars / templates parameters ?
>
> Thanks,
> Vincent
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
>
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
> --
> Clayton Coleman | Lead Engineer, OpenShift


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]