CODEWITHSUNDEEP
openshift
rookie099
rookie099

Reputation: 2607

Install input secret into OpenShift build configuration

I have an OpenShift 3.9 build configuration my_bc and a secret my_secret of type kubernetes.io/ssh-auth. The secret was created like so:

oc create secret generic my_secret \
  --type=kubernetes.io/ssh-auth \
  --from-file=key

I have installed it as source secret into my_bc, and oc get bc/my_bc -o yaml reveals this spec:

source:
  contextDir: ...
  git:
    uri: ...
  sourceSecret:
    name: my_secret
  type: Git

As such, it is already effective in the sense that the OpenShift builder can pull from my private Git repository and produce an image with its Docker strategy.

I would now like to add my_secret also as an input secret to my_bc. My understanding is that this would not only allow the builder to make use of it (as source secret), but would allow other components inside the build to pick it up as well (as input secret). E.g. for the Docker strategy, it would exist in WORKDIR.

The documentation explains this with an example that adds the input secret when a build configuration is created:

oc new-build \
  openshift/nodejs-010-centos7~https://github.com/openshift/nodejs-ex.git \
  --build-secret secret-npmrc

Now the corresponding spec refers to the secret under secrets (not: sourceSecret), presumably because it is now an input secret (not: source secret).

source:
  git:
    uri: https://github.com/openshift/nodejs-ex.git
  secrets:
  - destinationDir: .
    secret:
      name: secret-npmrc
  type: Git

oc set build-secret apparently allows adding source secrets (as well as push and pull secrets -- these are for interacting with container registries) to a build configuration with command line argument --source (as well as --push/--pull), but what about input secrets? I did not find out yet.

So I have these questions:

  1. How can I add my_secret as input secret to an existing build configuration such as my_bc?

  2. Where would the input secret show up at build time , e.g. under which path could a Dockerfile pick up the private key that is stored in my_secret?

Upvotes: 3

Views: 2830

Answers (2)

simbo1905
simbo1905

Reputation: 6832

In the comments to the question it mentions to patch the BuildConfig. Here is a patch that works on v3.11.0: 

$cat patch.json
{
    "spec": {
        "source": {
            "secrets": [
                {
                    "secret": {
                        "name": "secret-npmrc"
                    },
                    "destinationDir": "/etc"
                }
            ]
        }
    }
}
$ oc patch -n your-eng bc/tag-realworld -p "$(<patch.json)"
buildconfig "tag-realworld" patched

Upvotes: 0

rookie099
rookie099

Reputation: 2607

This procedure now works for me (thanks to @GrahamDumpleton for his guidance):

  1. leave build configuration's source secret as is for now; get bc/my_bc -o jsonpath='{.spec.source.sourceSecret}' reports map[name:my_secret] (w/o path)
  2. add input secret to build configuration at .spec.source.secrets with YAML corresponding to oc explain bc.spec.source.secrets: oc edit bc/my_bc
  3. sanity checks: oc get bc/my_bc -o jsonpath='{.spec.source.secrets}' reports [map[destinationDir:secret secret:map[name:my_secret]]]; oc describe bc/my_bc | grep 'Source Secret:' reports Source Secret: my_secret (no path) and oc describe bc/my_bc | grep "Build Secrets:" reports Build Secrets: my_secret->secret
  4. access secret inside Dockerfile in a preliminary way: COPY secret/ssh-privatekey secret/my_secret, RUN chmod 0640 secret/my_secret; adjust ssh-privatekey if necessary (as suggested by oc get secret/my_secret -o jsonpath='{.data}' | sed -ne 's/^map\[\(.*\):.*$/\1/p')
  5. rebuild and redeploy image
  6. sanity check: oc exec -it <pod> -c my_db file /secret/my_secret reports /secret/my_secret: PEM RSA private key (the image's WORKDIR is /)

Upvotes: 4

Related Questions