Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubeconfig creator task accepts secrets as parameters #639

Open
afrittoli opened this issue Feb 1, 2021 · 10 comments
Open

Kubeconfig creator task accepts secrets as parameters #639

afrittoli opened this issue Feb 1, 2021 · 10 comments
Labels
area/dogfooding Indicates an issue on dogfooding (aka using Pipeline to test Pipeline) help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@afrittoli
Copy link
Member

Expected Behavior

Tasks never accept secrets as parameters. A workspace (or a secret name) and field names can be used to provide access to secrets stored as k8s secrets or as files on a volume.

Actual Behavior

The kubeconfig creator tasks https://hub.tekton.dev/tekton/task/kubeconfig-creator accepts several secrets as parameters. This is an issue because there's no way to avoid secrets being exposed if they are passed as parameters to a task.
The value of those parameters will be stored in etcd, accessible via the CLI/dashboard (even in readonly mode) and might even be sent in cloud events notifications when they are enabled.
@afrittoli
Copy link
Member Author

/cc @divyansh42

@afrittoli
Copy link
Member Author

FYI @psschwei

@afrittoli
Copy link
Member Author

As noted by @sm43, our kubeconfigwriter image does not include bash, and it only accepts its input as an inline json.

I think there are a couple of alternatives we could adopt:

  • add an alternative input param to the kubeconfigwriter command, that takes a filename where the params are written
  • add bash to the base image used for kubeconfigwriter

/cc @vdemeester

@vdemeester
Copy link
Member

Maybe both are possible even 😛 .

@tekton-robot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 14, 2021
@tekton-robot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 13, 2021
@tekton-robot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

@tekton-robot
Copy link

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@afrittoli afrittoli removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jan 26, 2022
@afrittoli afrittoli reopened this Jan 26, 2022
@afrittoli
Copy link
Member Author

/lifecycle frozen

@tekton-robot tekton-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Jan 26, 2022
@dibyom dibyom added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Jun 29, 2022
@dibyom dibyom added the area/dogfooding Indicates an issue on dogfooding (aka using Pipeline to test Pipeline) label Aug 17, 2022
@vinamra28
Copy link
Member

@afrittoli @dibyom @vdemeester do we still want this? 😅
with removal of PipelineResources and their corresponding images, do we want to maintain this task and it's respective image?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dogfooding Indicates an issue on dogfooding (aka using Pipeline to test Pipeline) help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
Tekton Community Roadmap
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vdemeester @afrittoli @dibyom @vinamra28 @tekton-robot