1669981 – --build-secret option doesn't copy secret to built image

Bug 1669981 - --build-secret option doesn't copy secret to built image

Summary: --build-secret option doesn't copy secret to built image

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	4.1.0
Assignee:	Ben Parees
QA Contact:	wewang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-28 09:49 UTC by XiuJuan Wang
Modified:	2019-06-04 10:42 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-04 10:42:15 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0758	0	None	None	None	2019-06-04 10:42:22 UTC

Description XiuJuan Wang 2019-01-28 09:49:47 UTC

Description of problem:

 --build-secret option  doesn't copy secret to built image

Version-Release number of selected component (if applicable):
$oc v4.0.0-0.146.0
$oc get clusterversion
NAME      VERSION     AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.2   True        False         19m       Cluster version is 4.0.0-0.2

How reproducible:
always

Steps to Reproduce:
1.Create a build with configmap and secret.
$oc create secret generic secrettest --from-literal=aoskey\=aosvalue
$oc create configmap cmtest --from-file=configmap.test
$oc new-build https://github.com/openshift/ruby-hello-world --image-stream=ruby --build-config-map=cmtest:test --build-secret=secrettest:test
2.Describe build
3.Deploy pod with built image
oc run myapp --image=image-registry.openshift-image-registry.svc:5000/xiu/ruby-hello-world
4.Log into pod to check if files are copyed

Actual results:
step 2：
Output to:		ImageStreamTag ruby-hello-world:latest
Build Secrets:		secrettest->secrettest
Build ConfigMaps:	cmtest->secrettest

step 4：Only configmap file is copyed to dest dir.
$oc rsh myapp-3-dlskq 
sh-4.2$ls test/ -l
total 0
lrwxrwxrwx. 1 default root 16 Jan 28 09:25 configmap -> ..data/configmap

Expected results:
Secret should be copyed to dest dir when specify --build-secret 

Additional info:

Comment 1 Ben Parees 2019-01-28 16:18:56 UTC

The idea behind build secrets is they are available at build time, but not included in the output image.

If your dockerfile includes a RUN command that lists the content, you'll see the secret is present... but then we inject a RUN rm in your dockerfile that removes the secrets so they are not present in the final image.

So this is working as designed.

Comment 2 XiuJuan Wang 2019-01-29 02:38:48 UTC

Yes, I can see the secrets in the build pod. 

    - mountPath: /var/run/secrets/openshift.io/build/secrettest
      name: secrettest-build
  - name: secrettest-build
    secret:
      defaultMode: 384
      secretName: secrettest

Thanks~

Comment 5 errata-xmlrpc 2019-06-04 10:42:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758

Note You need to log in before you can comment on or make changes to this bug.