Using agent token in cloud-init user-data #91
Comments
|
@runephilosof-karnovgroup Do you have an idea how we could get the token securely onto that machine? Worst case we could ssh to that machine and save a file somehow. 🤔
That would be tough to achieve as it would break most other agent setups. |
|
What is a valid use case of reusing agent specific registration tokens? My own autoscaler uses the global agent registration token, because of this problem. It then matches up the agents with their agent IDs using their hostnames. |
It's currently just "the specific" agent token which is also used to identify the agent again when re-connecting / after restarts. Woodpecker currently has nothing like a registration token AFAIK.
How do you inject the global token then if not via cloud-init? As part of the image? |
I am suggesting it should have (in the other issue, let's keep that discussion there, it becomes confusing otherwise).
Yes. I build it into the image. |
anbraten
changed the title
Some providers apply cloud-init to vps using http calls to a server in the network, some do it by providing a file etc to the vps.
The issue with the http api approach is that this endpoint can be called by all users of the vps and therefore could be called by a pipeline step to extract the agent-token.
Providers
Metadata/userdata/cloud-init is accessible to everything running on the agent, not only
root.So you should not save the woodpecker token in that.
Or alternatively, the server should invalidate the tokens after first use.
Originally posted by @runephilosof-karnovgroup in #15 (comment)
The text was updated successfully, but these errors were encountered: