Add support for secrets #63
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
talex5
reviewed
Mar 16, 2021
Contributor
talex5
left a comment
talex5
left a comment
There was a problem hiding this comment.
Looks like a very useful feature!
Please add a test-case to test_docker to check the serialisation.
Would be nice to change the syntax from:
(secrets ((foo ...)))
to
(secrets (foo ...))
Also, the README needs updating.
Thanks!
added 11 commits
March 17, 2021 10:46
Author
|
Thanks for your review ! I've addressed all the points you mentioned, and updated the readme, changelog and |
Also, load secrets from files rather than putting them on the command-line (where they will appear in the shell history, `ps` output, etc).
talex5
approved these changes
Mar 17, 2021
Contributor
talex5
left a comment
talex5
left a comment
There was a problem hiding this comment.
Thanks! I pushed some minor changes:
- Replaced use of the phrase "secret key", which could be confusing.
- Got the binary to read the secrets from files rather than taking them as command-line arguments. Command-line arguments appear to other users in
psoutput, end up in shell history, etc.
If you're happy with that, then it's ready to merge.
Author
|
Great, that looks good. I'm happy with that ! I'll update the ocluster PR. |
tmcgilchrist
added a commit
to tmcgilchrist/opam-repository
that referenced
this pull request
Jun 17, 2022
CHANGES: - Use GNU tar format instead of UStar for `copy` operations (@TheLortex ocurrent/obuilder#82, reviewed @dra27). This enables copying from sources containing long file names (>100 characters). - Add support for secrets (@TheLortex ocurrent/obuilder#63, reviewed by @talex5). The obuilder spec's `run` command supports a new `secrets` fields, which allows to temporarily mount secret files in an user-specified location. The sandbox build context has an additional `secrets` parameter to provide values for the requested keys. - Limit permissions on temporary directories (@talex5 ocurrent/obuilder#67) - Check Linux kernel version support for btrfs (@kit-ty-kate ocurrent/obuilder#68) - Generalise obuilder sandbox, removing runc/linux specifc pieces and making the S.SANDBOX interface more general (@patricoferris ocurrent/obuilder#58, reviewed by @talex5, @avsm, @MisterDA) - Convert --fast-sync back to a flag (@talex5 ocurrent/obuilder#72) - Support Fmt.cli and Logs.cli flags. (@MisterDA ocurrent/obuilder#74, reviewed by @talex5) For Fmt the new options are --color=always|never|auto For Log the new options are: -v, --verbose Increase verbosity --verbosity=LEVEL (absent=warning) Be more or less verbose. LEVEL must be one of quiet, error, warning, info or debug. Takes over -v. - Minor cleanup changes (@talex5 ocurrent/obuilder#76) - Fix deprecations in Fmt 0.8.10 (@tmcgilchrist ocurrent/obuilder#80) - Remove travis-ci and replace with Github Actions (@MisterDA ocurrent/obuilder#84) - Add RSync store backend for obuilder to support macOS builders (@patricoferris ocurrent/obuilder#88, reviewed @talex5) - Fixes for ZFS tests in CI (@patricoferris ocurrent/obuilder#91)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A secret is an externally provided key-value pair that can be mounted on demand by the job. This PR implements:
secretsfield in theruncommand, which mounts a list of secrets files in the chosen target, or in/run/secrets/[id]if the target is not provided.--mount=type=secret,id=[id],dst=[target]option.secretsparameter in order to provide the values.