Hello, I would like to retrieve secret value while running a script in post-commit build hook. The end-goal here is to provide credentials to command line utility during post-commit without exposing them in the build log and not baking them into the output image. The secret is set as described here: https://docs.openshift.com/container-platform/4.5/builds/creating-build-inputs.html#builds-input-secrets-configmaps_creating-build-inputs
Given this sample Dockerfile: FROM registry.redhat.io/ubi8-minimal RUN microdnf update -y && rm -rf /var/cache/yum && microdnf clean all USER 1001 I get permission error as it seems that in post-commit build hook my command runs as UID 1001 but the secret is mounted and owned by root: <SNIP> STEP 6: FROM 2aa7c2a5f044025caeb1c2d7b6b4a32d60e4ae3b4b81047029b2b1f3e4b7e5ab STEP 7: RUN /bin/sh -ic 'whoami; ls -lH /var/run/secrets/ openshift.io/build/my-secret/super; cat /var/run/secrets/ openshift.io/build/my-secret/super' sh: cannot set terminal process group (1): Inappropriate ioctl for device sh: no job control in this shell whoami: cannot find name for user ID 1001 -rw-------. 1 root root 6 Oct 12 00:57 /var/run/secrets/ openshift.io/build/my-secret/super cat: /var/run/secrets/openshift.io/build/my-secret/super: Permission denied subprocess exited with status 1 subprocess exited with status 1 <SNIP> Ideally, I don't want to produce an image that runs as root. Are there any suggestions on how to approach this or another way to provide sensitive information in build hook? Thanks.
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
