Skip to content

Ignore mount path for git-credentials secrets and mount as file #916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 6, 2022
Merged

Ignore mount path for git-credentials secrets and mount as file #916

merged 1 commit into from
Sep 6, 2022

Conversation

@amisevsk
Copy link
Collaborator

@amisevsk amisevsk commented Sep 1, 2022

What does this PR do?

Ignore any mount-path annotations on secrets labelled 'controller.devfile.io/git-credential'. Instead, always mount the merged git credentials secret to /.git-credentials/.

Additionally, mount the credentials file as files rather than using subpath mounts, in order to ensure changes to the on-cluster secret can be propagated to the running workspace without requiring a restart.

What issues does this PR fix or reference?

Closes #915

Is it tested? How?

  1. Create a secret with git-credentials label: 
    kind: Secret
apiVersion: v1
metadata:
  name: git-credentials-test-secret
  labels:
    controller.devfile.io/git-credential: 'true'
    controller.devfile.io/watch-secret: 'true'
data:
  credentials: aGVsbG8gd29ybGQK # "hello world"
type: Opaque
  2. Start a workspace and verify file /.git-credentials/credentials is mounted and contains text "hello world"
  3. Edit the secret in the cluster, changing the value of the credentials key
  4. Update the workspace in any way to trigger a reconcile (e.g. add an annotation)
  5. Check that file /.git-credentials/credentials reflects the new value (this may take some time to propagate down)

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

@amisevsk
Ignore mount path for git-credentials secrets and mount as file
3c47585 
Ignore any mount-path annotations on secrets labelled
'controller.devfile.io/git-credential'. Instead, always mount the merged
git credentials secret to `/.git-credentials`.

Additionally, mount the credentials file as files rather than using
subpath mounts, in order to ensure changes to the on-cluster secret can
be propagated to the running workspace without requiring a restart.

Signed-off-by: Angel Misevski <[email protected]>
@amisevsk amisevsk requested a review from ibuziuk as a code owner September 1, 2022 23:26
@openshift-ci openshift-ci bot added the approved label Sep 1, 2022
@amisevsk amisevsk requested review from AObuchow and dkwon17 September 2, 2022 00:31
AObuchow
AObuchow approved these changes Sep 2, 2022
View reviewed changes
Copy link
Collaborator

@AObuchow AObuchow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested (following the PR instructions) and works as expected:

bash-5.1$ cd  /.git-credentials/
bash-5.1$ cat credentials 
hello world

Modified the secret credentials data to: fafghe9gd29ybGQK, added an annotation to the workspace, then:

bash-5.1$ cat credentials 
}����`world

@openshift-ci openshift-ci bot added the lgtm label Sep 2, 2022
@openshift-ci
Copy link

openshift-ci bot commented Sep 2, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amisevsk, AObuchow, dkwon17

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@amisevsk amisevsk merged commit d342380 into devfile:main Sep 6, 2022
@amisevsk amisevsk deleted the non-subpath-git-credentials branch September 6, 2022 20:04
@l0rd
Copy link
Collaborator

l0rd commented Sep 8, 2022

Should we update the documentation and remove the reference to controller.devfile.io/mount-path?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AObuchow AObuchow AObuchow approved these changes

@dkwon17 dkwon17 dkwon17 approved these changes

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

Assignees

@AObuchow AObuchow

@dkwon17 dkwon17

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update how personal access token git credentials are mounted into workspaces

4 participants

@amisevsk @l0rd @AObuchow @dkwon17