Rollback creds-init removal in 0.14 branch #2952
Conversation
This reverts commit bbb767c. In #2671 I removed the creds-init initContainer from Task Pods so that credentials could be used by containers running with non-root users. The intention was for this change to be free of any side-effects to end-users. Unfortunately a [backwards incompatible issue](#2951) has cropped up with this change: When a user does not specify the `known_hosts` field in a creds-init Secret, the credential code will perform an `ssh-keyscan` of the remote server to get its public key. The problem is that previously we could guarantee `ssh-keyscan` was available since the code ran in our own creds-init container with our own docker image. Since we've now moved that code into Steps' entrypoint the Steps container is required to provide `ssh-keyscan`. This is a change in container contract and therefore backwards-incompatible. In this PR I've reverted the creds-init change for the 0.14 branch rather than attempt to fix the `ssh-keyscan` issue and possibly introduce more problems. Before 0.15 I'd like to get a better backwards-compatible fix organized. So I plan to leave the creds-init change in place in the `master` branch for the time being.
ghost
requested a review
from 
tekton-robot
added
release-note
|
The following is the coverage report on the affected files.
|
ghost
mentioned this pull request
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: afrittoli The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
So, if I got it right, the plan is rollback on the branch only, and fix on master for v0.15 instead, right? |
|
That's my guess too, @sbwsg are we right ? |
Yup, exactly right. I'm working on a fix now that should hopefully be ready in time for 0.15. |
Let's add the refered issue in the milestone then 👼 /lgtm |
Good thinking, thanks for doing that! |
ghost
added
the
needs-cherry-pick
vdemeester
removed
the
needs-cherry-pick
Changes
In #2671 I removed the creds-init initContainer from Task Pods so that credentials could be used by containers running with non-root users. The intention was for this change to be free of any side-effects to end-users. Unfortunately a backwards incompatible issue has cropped up with this change:
When a user does not specify the
known_hostsfield in a creds-init Secret, the credential code will perform anssh-keyscanof the remote server to get its public key. The problem is that previously we could guaranteessh-keyscanwas available since the code ran in our own creds-init container with our own docker image. Since we've now moved that code into Steps' entrypoint a Step's container is required to providessh-keyscan. This is a change in container contract and therefore backwards-incompatible.In this PR I've reverted the creds-init change for the 0.14 branch rather than attempt to fix the
ssh-keyscanissue and possibly introduce more problems.Before 0.15 I'd like to get a better, backwards-compatible, fix organized. So I plan to leave the creds-init change in place in the
masterbranch for the time being.Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
Release Notes