Configure travis CI and OpenShift CI to support testing features with secrets #3553
Comments
openshift-ci-robot
added
the
kind/feature
|
Note, when we do this, we need to bear in mind the effect it will have on non-ci testing. This includes local testing as well where the secret might not be injected. Please ensure the said tests can be skipped if env cannot be set / document how users can provide their own tokens. |
|
/area testing |
openshift-ci-robot
added
area/testing
This works only for PR that was opened from branch in the main do repo. It won't work for forks. This restriction is there for security. Otherwise, anyone who can open PR could extract secrets. |
You don't need secure secrets for testing. For testing, you can use some fake registry where it doesn't matter that secret gets leaked |
+1 to that. we should avoid unnecessary complication if we can In fact, in this case we can say have a token with read-only access on a test registry. That way it won't matter if a billion people can get it |
Yes, that's a expected restriction for security. |
Currently the registry is GitHub-hosted registry, given GitHub only supports user-scoped token instead of repo-scoped token, so I don't think the scope of GitHub token supports read-only access. I find some resource from OpenShift: https://www.openshift.com/blog/private-git-repositories-part-3-personal-access-tokens
Actually the current design of testing registry is fake registry, the purpose of adding the security mechanism is not for making the testing registry secure, it's for making all other repos/information under the same GitHub user (currently all registry related resource are under this GitHub user https://github.com/odo-devfiles) secure so that the public users won't use the token for testing to access all other repos/information under the same GitHub user given GitHub token only support user-scoped token so that we don't have a way to create a token only for the repo that hosts testing registry. BUT, if we don't have a plan to create a private repo under GitHub user https://github.com/odo-devfiles in the future, then we don't need this security mechanism and we can expose the token to public. Another benefit of adding the security mechanism is for future features with secrets, if we still have a way to mock the secure resource for the new feature then that would fine, but if we can't we still need to come back and do the configuration. |
elsony
added
the
area/devfile-spec
|
We already discuss this issue in today's status meeting, we don't need to test the scenario for secure registry, so close this issue. |
/kind feature
Which functionality do you think we should add?
We need a mechanism to inject secrets into travis CI and OpenShift CI environment so that we can test features with secrets such as secure registry support feature #2893.
Rough design:
Travis CI: We can follow this instruction https://docs.travis-ci.com/user/deployment/pages/#setting-the-github-token to add secret to repository settings.
OpenShift CI: We will need to move to mutli-stage builds before we can inject custom secrets.
FYI: @amitkrout @mohammedzee1000
Why is this needed?
Test features with secrets.
The text was updated successfully, but these errors were encountered: