Ok. Out of curiosity, is there a way to add an arbitrary secret to SA and mount it along with other secrets? Builder token seems to be mounted with permissions that would allow me to retrieve it:
sh-4.2# ls -lH /var/run/secrets/kubernetes.io/serviceaccount/token -rw-r--r--. 1 root 1000730000 897 Oct 13 11:46 /var/run/secrets/ kubernetes.io/serviceaccount/token sh-4.2# Thanks! On Mon, Oct 12, 2020 at 11:39 AM Ben Parees <bpar...@redhat.com> wrote: > > > On Mon, Oct 12, 2020 at 7:34 AM Russ Krichevskiy < > russ.krichevs...@gmail.com> wrote: > >> Hello, I would like to retrieve secret value while running a script in >> post-commit build hook. The end-goal here is to provide credentials to >> command line utility during post-commit without exposing them in the build >> log and not baking them into the output image. The secret is set as >> described here: >> https://docs.openshift.com/container-platform/4.5/builds/creating-build-inputs.html#builds-input-secrets-configmaps_creating-build-inputs >> >> Given this sample Dockerfile: >> >> FROM registry.redhat.io/ubi8-minimal >> RUN microdnf update -y && rm -rf /var/cache/yum && microdnf clean all >> USER 1001 >> >> I get permission error as it seems that in post-commit build hook my >> command runs as UID 1001 but the secret is mounted and owned by root: >> >> <SNIP> >> STEP 6: FROM >> 2aa7c2a5f044025caeb1c2d7b6b4a32d60e4ae3b4b81047029b2b1f3e4b7e5ab >> STEP 7: RUN /bin/sh -ic 'whoami; ls -lH /var/run/secrets/ >> openshift.io/build/my-secret/super; cat /var/run/secrets/ >> openshift.io/build/my-secret/super' >> sh: cannot set terminal process group (1): Inappropriate ioctl for device >> sh: no job control in this shell >> whoami: cannot find name for user ID 1001 >> -rw-------. 1 root root 6 Oct 12 00:57 /var/run/secrets/ >> openshift.io/build/my-secret/super >> > > i'm actually surprised this even works, I didn't remember that we mounted > your build-secrets into the container we launch for your post-commit hook > execution. > > But since apparently we do, i do not believe we give you any way to > control the mount permissions there, so you're likely a bit stuck. I > suspect you're going to have to move to a real CI pipeline flow for this > (e.g. push your newly built image to a test tag, then run a deployment > against the test tag that mounts the secrets and runs your tests, then if > that succeeds, re-tag the image for prod or whatever) > > > >> >> cat: /var/run/secrets/openshift.io/build/my-secret/super: Permission >> denied >> subprocess exited with status 1 >> subprocess exited with status 1 >> <SNIP> >> >> Ideally, I don't want to produce an image that runs as root. Are there >> any suggestions on how to approach this or another way to provide sensitive >> information in build hook? >> >> Thanks. >> >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> > > > -- > Ben Parees | OpenShift > > -- *Russ Krichevskiy* *Email: russ.krichevs...@gmail.com <russ.krichevs...@gmail.com>* *Mobile: 401-369-9726* *www.linkedin.com/in/russkrichevskiy* <http://www.linkedin.com/in/russkrichevskiy/>
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
