Do not show image_resource docker-image password in a task file

[martinsbalodis]

Right now tasks can only contain plain text passwords. That means that these passwords will be stored in a git repository in plain text. Here is how it the image resource definition looks right now in a task file:

# task.yml in repository
image_resource:
  type: docker-image
  source:
    repository: my.local.registry:8080/my/image
    insecure_registries: ["my.local.registry:8080"]
    username: myuser
    password: mypass
    email: x@x.com

This could be resolved by adding a --load-vars-from= option to the fly execute command similarly how it works with the fly set-pipeline command. The task definition could look like this after the enhancement:

# task.yml in repository
image_resource:
  type: docker-image
  source:
    repository: my.local.registry:8080/my/image
    insecure_registries: ["my.local.registry:8080"]
    username: {{docker_user}}
    password: {{docker_pass}}
    email: {{docker_mail}}

This would be partly resolved by #252. This proposal solves the problem when task is run within the CI but doesn't solve the problem when it is run via fly command locally.

[concourse-bot]

Hi there!

We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.

The current status is as follows:

• #118818253 Do not show image_resource docker-image password in a task file

This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.

[vito]

This would be fixed by #291 and/or #318