tasks: Move tasks secrets from /secrets to /run/secrets/tasks

This makes them symmetric with /run/secrets/webhook. Also move the symlink setup from `Containerfile` to `setup-tasks` - that way all the secrets setup is in one place, and it's also more fungible (e.g. it's simple to bind-mount an updated `setup-tasks` script without rebuilding the image).
cockpit-project · Mar 5, 2024 · 7d1a636 · 7d1a636
1 parent e8b5641
commit 7d1a636
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 22 deletions.
diff --git a/Makefile b/Makefile
@@ -22,7 +22,7 @@ tasks-shell:
 	$(DOCKER) run -ti --rm \
 		--shm-size=1024m \
 		--volume=$(CURDIR)/tasks:/usr/local/bin \
-		--volume=$(TASK_SECRETS):/secrets:ro \
+		--volume=$(TASK_SECRETS):/run/secrets/tasks/:ro \
 		--volume=$(WEBHOOK_SECRETS):/run/secrets/webhook/:ro \
 		--volume=$(TASK_CACHE):/cache:rw \
 		--entrypoint=/bin/bash \

diff --git a/tasks/Containerfile b/tasks/Containerfile
@@ -68,13 +68,11 @@ COPY setup-tasks cockpit-tasks install-service webhook github_handler.py /usr/lo
 
 RUN groupadd -g 1111 -r user && useradd -r -g user -u 1111 user --home-dir /work && \
     groupadd -g 1001 -r github && useradd -r --no-create-home -g github -u 1001 github && \
-    mkdir -p /usr/local/bin /secrets /cache/images /cache/github && \
+    mkdir -p /usr/local/bin /cache/images /cache/github && \
     mkdir -p /work/.config /work/.config/cockpit-dev /work/.ssh /work/.cache /work/.rhel && \
     printf '[user]\n\t\nemail = cockpituous@cockpit-project.org\n\tname = Cockpituous\n[cockpit "bots"]\n\timages-data-dir = /cache/images\n' >/work/.gitconfig && \
-    ln -snf /secrets/s3-keys /work/.config/cockpit-dev/s3-keys && \
-    ln -snf /run/secrets/webhook/.config--github-token /work/.config/github-token && \
     chmod g=u /etc/passwd && \
-    chmod -R ugo+w /cache /secrets /cache /work && \
+    chmod -R ugo+w /cache /work && \
     chown -R user:user /cache /work && \
     printf '[libdefaults]\ndefault_ccache_name = FILE:/tmp/krb5.ccache\n' > /etc/krb5.conf.d/0_file_ccache && \
     echo 'user ALL=NOPASSWD: /usr/bin/chmod 666 /dev/kvm' > /etc/sudoers.d/user-fix-kvm

diff --git a/tasks/cockpit-tasks-centosci.yaml b/tasks/cockpit-tasks-centosci.yaml
@@ -22,7 +22,7 @@ spec:
           value: '1'
         volumeMounts:
         - name: secrets
-          mountPath: "/secrets"
+          mountPath: /run/secrets/tasks
           readOnly: true
         - name: webhook-secrets
           mountPath: /run/secrets/webhook

diff --git a/tasks/install-service b/tasks/install-service
@@ -23,7 +23,7 @@ chown -R 1111:1111 $SECRETS $CACHE
 chcon -R -t container_file_t $SECRETS $CACHE
 
 if [ -e "${SECRETS}/tasks/npm-registry.crt" ]; then
-    NODE_EXTRA_CA_CERTS=/secrets/npm-registry.crt
+    NODE_EXTRA_CA_CERTS=/run/secrets/tasks/npm-registry.crt
 fi
 
 if [ $INSTANCES -eq 1 ]; then
@@ -62,7 +62,7 @@ ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOS
     --device=/dev/kvm --network=cockpit-tasks-%i \
     --memory=24g --pids-limit=16384 --shm-size=1024m ${TMPVOL:-} \
     --volume=\${TEST_CACHE}/images:/cache/images:rw \
-    --volume=\${TEST_SECRETS}/tasks:/secrets:ro \
+    --volume=\${TEST_SECRETS}/tasks:/run/secrets/tasks:ro \
     --volume=\${TEST_SECRETS}/webhook:/run/secrets/webhook:ro \
     --volume=${IMAGE_STORES}:/work/.config/cockpit-dev/image-stores:ro \
     --env=NPM_REGISTRY=\${NPM_REGISTRY} \

diff --git a/tasks/run-local.sh b/tasks/run-local.sh
@@ -167,7 +167,7 @@ EOF
 
     # Run tasks container in the backgroud
     podman run -d -it --name cockpituous-tasks --pod=cockpituous \
-        -v "$SECRETS"/tasks:/secrets:ro,z \
+        -v "$SECRETS"/tasks:/run/secrets/tasks:ro,z \
         -v "$SECRETS"/webhook:/run/secrets/webhook:ro,z \
         -e COCKPIT_CA_PEM=/run/secrets/webhook/ca.pem \
         -e COCKPIT_BOTS_REPO=${COCKPIT_BOTS_REPO:-} \

diff --git a/tasks/setup-tasks b/tasks/setup-tasks
@@ -21,20 +21,25 @@ npm config set fetch-timeout 600000
 npm config set fetch-retry-mintimeout 60000
 npm config set maxsockets 3
 
-# set up S3 keys for OpenShift secrets volume
-if [ ! -d /secrets/s3-keys ] && [ ! -d ~/.config/cockpit-dev/s3-keys ]; then
-    # then our container symlink will point into the void, replace it with a directory and set up all files that we can find
-    rm ~/.config/cockpit-dev/s3-keys
-    mkdir ~/.config/cockpit-dev/s3-keys
-    for f in /secrets/s3-keys--*; do
-        [ -e "$f" ] || continue # non-matching glob
-        ln -s "$f" ~/.config/cockpit-dev/s3-keys/"${f#*--}"
-    done
-fi
+# Set up secrets
+if [ -d /run/secrets/tasks ]; then
+    ls -l ~/.config/cockpit-dev/
+    ln -snf /run/secrets/tasks/s3-keys ~/.config/cockpit-dev/s3-keys
+    ln -snf /run/secrets/webhook/.config--github-token ~/.config/github-token
+    git config --global credential.helper store
+    echo "https://cockpituous:$(cat ~/.config/github-token)@github.com" > ~/.git-credentials
 
-# Set up github user and token
-git config --global credential.helper store
-echo "https://cockpituous:$(cat ~/.config/github-token)@github.com" > ~/.git-credentials
+    # set up S3 keys for OpenShift secrets volume, where there is just a flat hierarchy with "--" encoding
+    if [ ! -d /run/secrets/tasks/s3-keys ] && [ ! -d ~/.config/cockpit-dev/s3-keys ]; then
+        # then our container symlink will point into the void, replace it with a directory and set up all files that we can find
+        rm ~/.config/cockpit-dev/s3-keys
+        mkdir ~/.config/cockpit-dev/s3-keys
+        for f in /run/secrets/tasks/s3-keys--*; do
+            [ -e "$f" ] || continue # non-matching glob
+            ln -s "$f" ~/.config/cockpit-dev/s3-keys/"${f#*--}"
+        done
+    fi
+fi
 
 # Get bots
 if [ ! -d ~/bots ]; then