Remove secrets from Docker Images#1191
Conversation
gdbelvin
force-pushed
the
genkeys
branch
2 times, most recently
from
8f01e17 to
52b9c84
Compare
|
@DazWilkin I also verified that in this configuration, |
Codecov Report
@@ Coverage Diff @@
## master #1191 +/- ##
=========================================
- Coverage 30.33% 30.3% -0.03%
=========================================
Files 48 48
Lines 3867 3867
=========================================
- Hits 1173 1172 -1
- Misses 2512 2513 +1
Partials 182 182
Continue to review full report at Codecov.
|
|
Checking it now. |
|
|
|
Otherwise, it appears to work. I continue to have issues with |
|
Just added the keys to the sequencer. See if that doesn't solve the context deadline exceeded issue... |
|
I'd added they keys myself to get it to work but it doesn't address my issue :-( |
|
The other place to look for these context deadline errors is the trillian log sequencer. If either the KT sequencer or the log sequencer are having issues clients will see deadline exceeded. |
|
checking |
|
Everything else appears (!?) to be OK. The only other recurring log entry that I see across the services is in NB Typo in But, otherwise, everything appears OK. Should I publish my logs? |
|
I have been unclear as to whether I should use Trying again using |
|
That timeout error is happening really quickly. I think the client is picking up an odd default timeout value of |
|
The other thing that is happening is that we're starting the timeout counter before the user goes through the OAuth flow |
|
So, you're telling me that my 'open link', allow, copy-paste then enter is too slow? ;-) |
|
It's embarrassing :-) Fix: #1195 |
|
This isn't an issue introduced by this PR, but shouldn't the key generation scripts create and chmod the files before writing the keys to them? |
Use go env GOPATH for situations where the GOPATH environment variable may be unset https://golang.org/cmd/go/#hdr-GOPATH_environment_variable
| mkdir -p "${GOPATH}/src/github.com/google/keytransparency/genfiles" | ||
| cd "${GOPATH}/src/github.com/google/keytransparency/genfiles" | ||
| mkdir -p "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles" | ||
| cd "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles" |
There was a problem hiding this comment.
super-nit: Won't work as expected if $GOPATH contains more than one path
| a) ADDRESS=${OPTARG};; | ||
| s) SAN_DNS=${OPTARG};; | ||
| *) echo "usage: ./generate.sh -d <domain> -a <ip_address> -s <san_extension_DNS>"; exit 1;; | ||
| *) echo "usage: ./gen_server_keys.sh -d <domain> -a <ip_address> -s <san_extension_DNS>"; exit 1;; |
There was a problem hiding this comment.
nit: Can use $0 or $(basename $0) instead of the filename here.
* master: (106 commits) Remove unused logVerifier (google#1324) Verify Revisions in StreamRevisions (google#1323) Pair verifier functions (google#1322) Split VerifyRevision into Verify{LogRoot,MapRevision (google#1318) Make Previous hash check optional (google#1307) Remove VerifySignedMapRoot from VerifierInterface (google#1320) Remove trailing whitespace (google#1321) Encapsulate Client Verifier State in test vectors (google#1316) Pass along err message (google#1314) Remove unnessesary func() (google#1319) New test vector transcript format (google#1315) Track map revision inside mutation (google#1310) Move verifier to its own package (google#1312) go generate ./... (google#1306) Fix proto copying in revisions and paginator tests. (google#1309) Fix proto copying in server_test. (google#1308) go mod tidy (google#1305) Use new TrillianMapWrite API (google#1304) Configurable maximum queue depth for metric reporting. (google#1303) Proposal to refine docker deployment (google#1302) ...
5 participants
Private keys should not be part of the docker images.
This was an old hack that predated docker's
secretsfeature.TODO / Help wanted: add a kubernetes configmap that does the same thing.