Feature #13134
closed
[crunch-run] Support for secret_mounts
Added by Peter Amstutz almost 7 years ago.
Updated over 6 years ago.
Release relationship:
Auto
Description
See Container secret mounts.
- New field called "secret_mounts" which can container "json" or "text" type mounts. These are processed the same way as normal mounts.
- Add support for "text" type mounts which are literal text which is written to file during setup (similar to "json" type, but unstructured.)
- Ensure that contents of "secret_mounts" isn't logged (eg container.json)
- Ensure that contents of "secret_mounts" isn't captured in output collection
Note: for completeness, we should also have "secret_environment" and "secret_command" that are merged with the public environment and public command line respectively.
- Status changed from New to In Progress
- Subject changed from [crunch-run] Support for secrets to [crunch-run] Support for secret_mounts
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Related to Idea #13112: Provide a mechanism to store "secrets" securely added
- Description updated (diff)
- Target version changed from Arvados Future Sprints to 2018-03-28 Sprint
- Assigned To set to Tom Clegg
- Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint
- Status changed from In Progress to New
- Target version changed from 2018-03-14 Sprint to 2018-03-28 Sprint
- Target version changed from 2018-03-28 Sprint to 2018-03-14 Sprint
- Assigned To changed from Tom Clegg to Peter Amstutz
Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1
What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on crunchrun.go will prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.
Lucas Di Pentima wrote:
Reviewing cc14a0ddb50d0d9b3aa03295e4212bd13b073be1
What happens when there are an equal mount and secret mount (is this allowed by the API server?), it seems that line 412 on crunchrun.go will prioritize the non-secret mount and will add it twice when there is mount duplication, but then will remove it because it’s supposedly a secret mount.
The API server is supposed to check for this case and reject it. I suppose crunch-run could also detect that and report and error instead of having some slightly weird undefined behavior.
- Status changed from New to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Tom Morris 
Updated by