Skip to content

Use bundle-secret for Secret creation #431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adellape merged 1 commit into from
Jun 5, 2015
Merged

Use bundle-secret for Secret creation #431

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 13 additions & 28 deletions architecture/core_objects/builds.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,8 @@ images.

Supply the `.dockercfg` file with valid Docker Registry credentials in order to push the output image into a private Docker Registry or pull the
builder image from the private Docker Registry that requires authentication.
For the OpenShift Docker Registry, you don't have to do this because the Secrets
Copy link
Contributor Author

@mfojtik mfojtik Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ncdc just want to double check I'm not telling lies here :-)

Copy link

@ncdc ncdc Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct

are generated automatically for you by OpenShift.

The *_.dockercfg_* JSON file exists in your home directory by default and has
following format:
Expand All @@ -171,39 +173,22 @@ You can define multiple Docker registry entries in this file. Alternatively, you
can also add authentication entries to this file by running the `docker login`
command. The file will be created if it does not exist.
Copy link
Contributor

@bparees bparees Jun 2, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wouldn't nuke this, it's still important background about secrets.

Copy link
Contributor

@adellape adellape Jun 2, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Contributor Author

@mfojtik mfojtik Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

un-nuked :)


Kubernetes provides the
https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/design/secrets.md[Secret]
resource, which is used to store your configuration and passwords. You must
first create the `*Secret*` before builds can use your *_.dockercfg_* file for
pushing the output image:
Kubernetes provides the https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/design/secrets.md[Secret]
resource, which is used to store your configuration and passwords.

Copy link
Contributor Author

@mfojtik mfojtik Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bparees I nuked the second part because that is not longer true... You have builder service account that search all .dockercfg secrets you have and try to find the valid one...

Copy link
Contributor

@bparees bparees Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm... so do we discuss how to add a new .dockercfg secret to the service account?

Copy link
Contributor Author

@mfojtik mfojtik Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt ^^

Copy link

@liggitt liggitt Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

adding secrets to service accounts generally is on my massive list of things to doc asap

Copy link
Contributor Author

@mfojtik mfojtik Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bparees so we have nothing to document here before it gets done... once you will be able to add new dockercfg to builder account, then this 'manual' way will be obsoleted and you just add the secrets and you don't have to specify anything in BuildConfig

Copy link
Contributor

@bparees bparees Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if that's true should we be removing the buildconfig field entirely? if not we still need to document it.

Copy link

@liggitt liggitt Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it can still be useful if you have multiple credentials for the same registry and you want the build to use a particular one

Copy link
Contributor

@bparees bparees Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, so we still need to doc it, along with an explanation of what the "normal" path (service account credentials) is.

====
----
$ osc create -f secret.json
----
====

The `*data*` field for the `*Secret*` object must contain the `*dockercfg*` key
with the value set to the base64-encoded content of the *_.dockercfg_* file. For
example:
To create the `*Secret*` resource from your local `.dockercfg` file, you can run
following command:

====

----
{
"apiVersion": "v1beta3",
"kind": "Secret",
"metadata": {
"name": "dockerhub"
},
"data": {
"dockercfg": "6yJodHRwc1ovL2zuZGV4LmRvY21lci5aby92MS8iOnsiYXV0aCI6ImJXWnZhblJwYXpwdVoybGxkR2d4TUE9PSIsImVtYWlsIj8ibWlAbWlmby5zayJ9fQ=="
}
}

$ openshift ex bundle-secret dockerhub ~/.dockercfg | osc create -f -
Copy link
Contributor

@bparees bparees Jun 4, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

little more detail on what this does please...
"generates json describing a secret named 'dockerhub' and then passes it to osc create which will define the new secret object in your current namespace"

Copy link
Contributor Author

@mfojtik mfojtik Jun 4, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, thanks!

----
====

Copy link
Contributor

@adellape adellape Jun 2, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I seem to recall it being important that the key be named specifically dockercfg (no dot prefix) in the data stanza. Is this no longer the case? The bundle-secret command seems to use whatever the file name given is, in the below example's case .dockercfg:

    "data": {
        ".dockercfg": "ewoJImh0dHBzOi8vaW5kZXguZG9ja2VyLmlvL3YxLyI6IHsKCQkiYXV0aCI6ICJZV1JsYkd4aGNHVTZSMmxoYm5SaWIyMWlJVEU9IiwKCQkiZW1haWwiOiAiYWRlbGxhcGVAcmVkaGF0LmNvbSIKCX0KfQ=="

Copy link
Contributor

@adellape adellape Jun 2, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openshift/origin#1453 is what I was thinking about, but from looking now at some auto-generated secrets like builder-dockercfg* and default-dockercfg* (which have .dockercfg in data), I'm even less sure.

Copy link
Contributor Author

@mfojtik mfojtik Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adellape the bundle-secret .dockercfg will automatically add that key for you, so you don't have to worry about that anymore.

Copy link
Contributor Author

@mfojtik mfojtik Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adellape what is important here is the name of Secret, which is in this case 'dockerhub'

Copy link
Contributor

@adellape adellape Jun 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thanks for clarifying!

This command generates JSON specification of the Secret resource named
'dockerhub'. Then this resource is passed to the standard input of `*osc create*`
command.

Once you have the `*Secret*` created, you can add a `PushSecret` field into the
`Output` section of the `BuildConfig` and set it to the name of the `*Secret*`
that you created, which in the above example is `*dockerhub*`:
Expand All @@ -230,7 +215,7 @@ Pull the builder Docker image from a private Docker registry by specifying the
----
{
"strategy": {
"stiStrategy": {
"sourceStrategy": {
"from": {
"kind": "DockerImage",
"name": "docker.io/user/private_repository"
Expand All @@ -239,7 +224,7 @@ Pull the builder Docker image from a private Docker registry by specifying the
"name": "dockerhub"
},
},
"type": "STI"
"type": "Source"
}
}
----
Expand Down