New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reference secret values from Kubernetes secrets #3582
Comments
An alternative would be to have all implementation specific parts in 'backend_options' - 'kubernetes' |
Yes, that makes sense as well. We could have an implementation like this: steps:
- name: test
image: alpine
commands:
- echo $my_password
backend_options:
kubernetes:
secrets:
- name: my_password
secretRef: my-top-secret-password
key: password |
As I understand FR: There might be security concerns... However, if we run workload in separate namespace, then probably OK. Feature can be gated by Agent's flag.
There are global and org secrets.
You can use WP secrets :)
This is another thing. At least from implementation point of view. |
Yes, that's the general idea, and yes, security is definitely something to think through here. I see a couple of options off the top of my head:
I like the annotation option because is provides for some flexibility. Depending on how the annotation is structured, it could even limit the scope of access to the Secret to a specific org or even repo.
Yes, I'm aware of WP secrets at the global and org level. But, since they have to be defined manually, keeping them in-sync with the Kubernetes Secrets becomes a problem.
I'm not sure why integrating with other external secret providers has be different from an implementation point of view. But, I'm not very familiar with the WP codebase. |
Because it is server-side. Server parses pipeline, goes to external provider, loads secret, then set env vars for Agent/backend. And your example is purely Agent/backend side. I can just translate it into secretKeyRef Pod's definition.
It's just dirty hack :) |
Thanks for the explanation. That makes a lot of sense. Keeping it with the other Kubernetes backend options seems like it would definitely be the path of least resistance. Yes, we could support annotations like this maybe: apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-pipeline-secret
annotations:
woodpecker-ci.org/org-access: "my-org,another-org"
woodpecker-ci.org/repo-access: "my-repo,another-one"
data:
password: d29vZHBlY2tlciByb2NrcyE= |
To be done:
|
Having last updates, syntax below came up in my mind. apiVersion: v1
kind: Secret
metadata:
name: aws
namespace: woodpecker
data:
key-id: N0lrZHNzb0xleGFtcGxlNkpJVnZDRXE=
access-key: TXk0WE5BYXNleGFtcGxldXRKRHNUWHc=
type: Opaque
backend_options:
kubernetes:
secrets:
- name: aws
backend_options:
kubernetes:
secrets:
- name: aws
key: access-key
backend_options:
kubernetes:
secrets:
- name: aws
key: key-id
target:
env: AWS_ACCESS_KEY_ID
- name: aws
key: access-key
target:
env: AWS_SECRET_ACCESS_KEY
apiVersion: v1
type: kubernetes.io/dockerconfigjson
kind: Secret
metadata:
name: reg-cred
namespace: woodpcker
data:
.dockerconfigjson: <base64 encoded JSON auth file here> backend_options:
kubernetes:
secrets:
- name: reg-cred
key: ".dockerconfigjson"
target:
file: "~/.docker/config.json" What do you think? |
I love it. This syntax seems perfect to me. |
Being able to do the same things with ConfigMap's would be super swell for things like certificate bundles and site-specific config files that don't belong in git, and the logic should be nearly copy-paste. |
Clear and concise description of the problem
It would be nice to be able to leverage Kubernetes native Secrets inside of Woodpecker pipelines.
Suggested solution
I'm imagining a workflow definition that looks like this:
So, the
docker_username
secret would be referenced as it normally is today. The value for theDOCKER_PASSWORD
secret would come from a Kubernetes Secret calledmy-docker-secret
that is defined in the same namespace that the pipeline runs in. That secret is expected to have a key namedpassword
that contains the value that we want to use for the secret.This is loosely based on the way Drone does it and the way that Kubernetes allows you to reference secrets for env variables.
The exact syntax is, of course, flexible, but the idea is to allow for other external secret providers as well (see #929).
Alternative
Right now, it seems like the only way to define secrets is via the UI or the CLI. This works, but it isn't ideal if you already have the secrets defined in your cluster.
Another alternative would be to store the information in global env variables, but that doesn't seem ideal from a security standpoint.
Another option would be to expand the Kubernetes backend volume mounting logic to allow mounting Secrets in addition to PVs.
Additional context
This is part of my ongoing effort to get a container build system (specifically buildah) to run on Woodpecker on a CRI-O based Kubernetes cluster. I currently have it up and working, but I need a way to pass registry credentials to it. Otherwise, I can build images, but I can't push them to my repo when I'm done.
There may be a simpler way to do this that I'm just missing at the moment.
Validations
next
version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]The text was updated successfully, but these errors were encountered: