On Tue, Oct 13, 2020 at 8:02 AM Russ Krichevskiy <russ.krichevs...@gmail.com> wrote:
> Ok. Out of curiosity, is there a way to add an arbitrary secret to SA and > mount it along with other secrets? Builder token seems to be mounted with > permissions that would allow me to retrieve it: > I do not believe so > > sh-4.2# ls -lH /var/run/secrets/kubernetes.io/serviceaccount/token > -rw-r--r--. 1 root 1000730000 897 Oct 13 11:46 /var/run/secrets/ > kubernetes.io/serviceaccount/token > sh-4.2# > > Thanks! > > On Mon, Oct 12, 2020 at 11:39 AM Ben Parees <bpar...@redhat.com> wrote: > >> >> >> On Mon, Oct 12, 2020 at 7:34 AM Russ Krichevskiy < >> russ.krichevs...@gmail.com> wrote: >> >>> Hello, I would like to retrieve secret value while running a script in >>> post-commit build hook. The end-goal here is to provide credentials to >>> command line utility during post-commit without exposing them in the build >>> log and not baking them into the output image. The secret is set as >>> described here: >>> https://docs.openshift.com/container-platform/4.5/builds/creating-build-inputs.html#builds-input-secrets-configmaps_creating-build-inputs >>> >>> Given this sample Dockerfile: >>> >>> FROM registry.redhat.io/ubi8-minimal >>> RUN microdnf update -y && rm -rf /var/cache/yum && microdnf clean all >>> USER 1001 >>> >>> I get permission error as it seems that in post-commit build hook my >>> command runs as UID 1001 but the secret is mounted and owned by root: >>> >>> <SNIP> >>> STEP 6: FROM >>> 2aa7c2a5f044025caeb1c2d7b6b4a32d60e4ae3b4b81047029b2b1f3e4b7e5ab >>> STEP 7: RUN /bin/sh -ic 'whoami; ls -lH /var/run/secrets/ >>> openshift.io/build/my-secret/super; cat /var/run/secrets/ >>> openshift.io/build/my-secret/super' >>> sh: cannot set terminal process group (1): Inappropriate ioctl for device >>> sh: no job control in this shell >>> whoami: cannot find name for user ID 1001 >>> -rw-------. 1 root root 6 Oct 12 00:57 /var/run/secrets/ >>> openshift.io/build/my-secret/super >>> >> >> i'm actually surprised this even works, I didn't remember that we mounted >> your build-secrets into the container we launch for your post-commit hook >> execution. >> >> But since apparently we do, i do not believe we give you any way to >> control the mount permissions there, so you're likely a bit stuck. I >> suspect you're going to have to move to a real CI pipeline flow for this >> (e.g. push your newly built image to a test tag, then run a deployment >> against the test tag that mounts the secrets and runs your tests, then if >> that succeeds, re-tag the image for prod or whatever) >> >> >> >>> >>> cat: /var/run/secrets/openshift.io/build/my-secret/super: Permission >>> denied >>> subprocess exited with status 1 >>> subprocess exited with status 1 >>> <SNIP> >>> >>> Ideally, I don't want to produce an image that runs as root. Are there >>> any suggestions on how to approach this or another way to provide sensitive >>> information in build hook? >>> >>> Thanks. >>> >>> _______________________________________________ >>> users mailing list >>> users@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >> >> >> -- >> Ben Parees | OpenShift >> >> > > -- > > *Russ Krichevskiy* > > *Email: russ.krichevs...@gmail.com <russ.krichevs...@gmail.com>* > > *Mobile: 401-369-9726* > > *www.linkedin.com/in/russkrichevskiy* > <http://www.linkedin.com/in/russkrichevskiy/> > -- Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
