Bug 1669981 - --build-secret option doesn't copy secret to built image
Summary: --build-secret option doesn't copy secret to built image
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Ben Parees
QA Contact: wewang
Depends On:
TreeView+ depends on / blocked
Reported: 2019-01-28 09:49 UTC by XiuJuan Wang
Modified: 2019-06-04 10:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:42:15 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:42:22 UTC

Description XiuJuan Wang 2019-01-28 09:49:47 UTC
Description of problem:

 --build-secret option  doesn't copy secret to built image

Version-Release number of selected component (if applicable):
$oc v4.0.0-0.146.0
$oc get clusterversion
version   4.0.0-0.2   True        False         19m       Cluster version is 4.0.0-0.2

How reproducible:

Steps to Reproduce:
1.Create a build with configmap and secret.
$oc create secret generic secrettest --from-literal=aoskey\=aosvalue
$oc create configmap cmtest --from-file=configmap.test
$oc new-build https://github.com/openshift/ruby-hello-world --image-stream=ruby --build-config-map=cmtest:test --build-secret=secrettest:test
2.Describe build
3.Deploy pod with built image
oc run myapp --image=image-registry.openshift-image-registry.svc:5000/xiu/ruby-hello-world
4.Log into pod to check if files are copyed

Actual results:
step 2:
Output to:		ImageStreamTag ruby-hello-world:latest
Build Secrets:		secrettest->secrettest
Build ConfigMaps:	cmtest->secrettest

step 4:Only configmap file is copyed to dest dir.
$oc rsh myapp-3-dlskq 
sh-4.2$ls test/ -l
total 0
lrwxrwxrwx. 1 default root 16 Jan 28 09:25 configmap -> ..data/configmap

Expected results:
Secret should be copyed to dest dir when specify --build-secret 

Additional info:

Comment 1 Ben Parees 2019-01-28 16:18:56 UTC
The idea behind build secrets is they are available at build time, but not included in the output image.

If your dockerfile includes a RUN command that lists the content, you'll see the secret is present... but then we inject a RUN rm in your dockerfile that removes the secrets so they are not present in the final image.

So this is working as designed.

Comment 2 XiuJuan Wang 2019-01-29 02:38:48 UTC
Yes, I can see the secrets in the build pod. 

    - mountPath: /var/run/secrets/openshift.io/build/secrettest
      name: secrettest-build
  - name: secrettest-build
      defaultMode: 384
      secretName: secrettest


Comment 5 errata-xmlrpc 2019-06-04 10:42:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.