-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use secret values as parameters of a task #3443
Comments
Thanks for the issue report. We have a Tekton Enhancement Proposal for exactly this kind of scenario: tektoncd/community#225 What I'm proposing in tektoncd/community#225 is to expose Workspaces to individual Steps / Images in a Task. A Secret can then be safely mounted into that Workspace and will only be exposed to the single Step/Image. At the moment params are not a good channel for secret values because the param values are stored as plain text in the TaskRun YAML after execution. So a possible next step on that could be to introduce a TEP for "sensitive params" or "redacted params" or something similar. |
Thank you. This makes sense and is more secure way to doing things. In my case, I want to build an image using kaniko using secret build args which come from environment variables or passed as string (which is not safe as you mentioned). If I mount a volume/workspace with the secrets in it, I could not find a way to populate the environment variables from a volume. It has to be either a configmap or a secret object to read environment variables from it. What would you recommend? |
@skk2142 are you in control of the Task? If you want to write a Task that accepts a Secret and uses it for an env var in only one Step/Image today you could do it like this: kind: Task
metadata:
name: example
spec:
params:
- name: tokenSecretName
- name: tokenSecretKey
steps:
- name: cant-access-secret
image: foo
command: ["echo"]
args: ["$SECRET_TOKEN"] # will be empty string
- name: uses-secret-env
envVar:
- name: SECRET_TOKEN
valueFrom:
secretKeyRef:
name: $(params.tokenSecretName)
key: $(params.tokenSecretKey)
The way to do this would be to use file redirection into an env var: # in a Step:
script: |
set +x # dont print to shell
SECRET_TOKEN=$(cat /path/to/workspace/token-file) |
Thank you, this is what I ended up doing. |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
Feature request
Ability to read secrets in taskRun and use it as parameters for the task.
Use case
I want to use a task like kaniko in the catalog to build image. I also need to use a secret token as a build arg. I should not be using that secret inside the task itself because it is only needed to certain images and defeats the purpose of build args.
The text was updated successfully, but these errors were encountered: