Description of problem:
--build-secret option doesn't copy secret to built image
Version-Release number of selected component (if applicable):
$oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.0.0-0.2 True False 19m Cluster version is 4.0.0-0.2
Steps to Reproduce:
1.Create a build with configmap and secret.
$oc create secret generic secrettest --from-literal=aoskey\=aosvalue
$oc create configmap cmtest --from-file=configmap.test
$oc new-build https://github.com/openshift/ruby-hello-world --image-stream=ruby --build-config-map=cmtest:test --build-secret=secrettest:test
3.Deploy pod with built image
oc run myapp --image=image-registry.openshift-image-registry.svc:5000/xiu/ruby-hello-world
4.Log into pod to check if files are copyed
Output to: ImageStreamTag ruby-hello-world:latest
Build Secrets: secrettest->secrettest
Build ConfigMaps: cmtest->secrettest
step 4：Only configmap file is copyed to dest dir.
$oc rsh myapp-3-dlskq
sh-4.2$ls test/ -l
lrwxrwxrwx. 1 default root 16 Jan 28 09:25 configmap -> ..data/configmap
Secret should be copyed to dest dir when specify --build-secret
The idea behind build secrets is they are available at build time, but not included in the output image.
If your dockerfile includes a RUN command that lists the content, you'll see the secret is present... but then we inject a RUN rm in your dockerfile that removes the secrets so they are not present in the final image.
So this is working as designed.
Yes, I can see the secrets in the build pod.
- mountPath: /var/run/secrets/openshift.io/build/secrettest
- name: secrettest-build
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.