Feature #13134
closed
[crunch-run] Support for secret_mounts
Description
- New field called "secret_mounts" which can container "json" or "text" type mounts. These are processed the same way as normal mounts.
- Add support for "text" type mounts which are literal text which is written to file during setup (similar to "json" type, but unstructured.)
- Ensure that contents of "secret_mounts" isn't logged (eg container.json)
- Ensure that contents of "secret_mounts" isn't captured in output collection
Note: for completeness, we should also have "secret_environment" and "secret_command" that are merged with the public environment and public command line respectively.
Updated by Peter Amstutz almost 7 years ago
- Status changed from New to In Progress
Updated by Peter Amstutz almost 7 years ago
- Subject changed from [crunch-run] Support for secrets to [crunch-run] Support for secret_mounts
- Description updated (diff)
Updated by Tom Clegg almost 7 years ago
- Related to Idea #13112: Provide a mechanism to store "secrets" securely added
Updated by Tom Morris almost 7 years ago
- Target version changed from Arvados Future Sprints to 2018-03-28 Sprint
Updated by Tom Morris almost 7 years ago
- Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint
Updated by Tom Clegg almost 7 years ago
- Status changed from In Progress to New
- Target version changed from 2018-03-14 Sprint to 2018-03-28 Sprint
Updated by Tom Morris almost 7 years ago
- Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint
Updated by Tom Morris almost 7 years ago
- Assigned To changed from Tom Clegg to Peter Amstutz
Updated by Lucas Di Pentima almost 7 years ago
Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1
What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on crunchrun.go will prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.
Updated by Peter Amstutz almost 7 years ago
Lucas Di Pentima wrote:
Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1
What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on
crunchrun.gowill prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.
The API server is supposed to check for this case and reject it. I suppose crunch-run could also detect that and report and error instead of having some slightly weird undefined behavior.
Updated by Peter Amstutz almost 7 years ago
Added check for duplicate mounts. Now 13134-secret-mounts @ d6433abcf8b95012fee8a18a82edc88921d7544e
Updated by Peter Amstutz almost 7 years ago
Rebased on master, now 13134-secret-mounts 9b590929d103537db6db9f8d1c6d7646413d16dd
Tests here https://ci.curoverse.com/job/developer-run-tests/650/
Updated by Peter Amstutz almost 7 years ago
- Status changed from New to Resolved
Applied in changeset arvados|80081626101a2193d7b916fe488903b66777576e.