-
-
Notifications
You must be signed in to change notification settings - Fork 330
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
K8s secrets reference from step #3655
base: main
Are you sure you want to change the base?
Conversation
Not sure how complex this is to implement, but if you use internal secrets and print them out to the logs, they're replaced with Also, in my opinion As an alternative to native support, maybe we could implement http service extension doing this? This feature is still in development and not supported yet. I understand however if you would like to support it natively. |
I know, i know... Also thought about it and decided to warn in the docs too.
Will take it.
Extension or external service? Seems, I cannot manage it alone. Edit |
As I wrote, external services are not yet available and still in development... They'll work similar to config extensions (https://woodpecker-ci.org/docs/administration/external-configuration-api) but with possibility so set on them global/org/user/repo level. |
Let's give this PR a try then. Could you add @dominic-p, could you test then? |
Thanks for working on this! I'm ready to test this PR as soon as we get an image published. |
And this too |
@@ -236,6 +244,25 @@ func containerPort(port types.Port) v1.ContainerPort { | |||
} | |||
} | |||
|
|||
func containerSecrets(secretNames []string) []v1.EnvFromSource { | |||
if secretNames == nil || len(secretNames) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if secretNames == nil || len(secretNames) == 0 { | |
if len(secretNames) == 0 { |
if config.NativeSecretsAllowFromStep { | ||
container.EnvFrom = containerSecrets(options.SecretNames) | ||
} else { | ||
log.Debug().Msg("Secret names were defined in backend options, but its using disallowed by instance configuration ") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nit, this doesn't read quite right to me. I would go with:
Secret names were defined in backend options, but secret access is disallowed by instance configuration.
Ok, I was able to test this tonight, and it seems to be working as expected! I was able to successfully build and push my first image to my local repo! 🎉🎉🎉 I did run into one snag. As I mentioned, my main use case for this feature is to provide container image registry credentials to my build script. These credentials are currently stored in a Kubernetes registry cred secret. This kind of secret uses the hardcoded key I was able to work around the issue with |
Could you provide an example?
I use kaniko debug image and plain secret:
kaniko requires Docker auth file in
In my use-case it could be requirements:
Current implementation treat |
Thanks for the detailed feedback. Here's an example secret from my cluster: apiVersion: v1
type: kubernetes.io/dockerconfigjson
kind: Secret
metadata:
name: reg-cred
namespace: woodpcker
data:
.dockerconfigjson: <base64 encoded JSON auth file here> And, here's a portion of the build script that would use it. I'm using buildah to build my container images via a standard shell script. #!/bin/sh
# Create a working container
dev=$(buildah from docker.io/alpine)
# ... build the image
# Save credentials in temporary file
# You would like to do something like this, but, of course, it won't work
# echo "$.dockerconfigjson" > /tmp/.dockerconfigjson
printenv ".dockerconfigjson" > /tmp/.dockerconfigjson
# Save and push the image to our local registry
buildah commit $dev "$name"
buildah push --authfile /tmp/.dockerconfigjson "$name" "docker://$registry_url/$name" So, the simplest workflow for me is to simply dump the reg-cred secret data into a temporary file and then reference it as shown above. Of course, I could use a a regular Opaque secret and build the docker config JSON as you showed in your example (or reference the username and password with At the end of the day, this is not a big deal. There are many usable workarounds. I just wanted to point out the awkwardness that you get when you wind up with an env variable that has a dot in its name. |
Thanks for explanation. This PR have to be reworked then. Meantime I move it to a draft. |
Sure thing. My personal preference would be to release this as-is and then iterate from there. Even in its current form it's enough for my use case. But, I can understand if you want to wait until it's a bit more complete. |
Sure. But we have to decide on syntax. |
Part of #3582
Pipeline:
Test secret:
In log I see warning:
WP output:
Agent config:
WP output: