Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove any need for using long-lived secrets from CI #159

Open
pivotaljohn opened this issue Sep 10, 2021 · 2 comments
Open

Remove any need for using long-lived secrets from CI #159

pivotaljohn opened this issue Sep 10, 2021 · 2 comments
Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-soon Must be staffed and worked on currently or soon.

Comments

@pivotaljohn
Copy link
Contributor

Describe the problem/challenge you have
We did this:

However, GitHub does not supply the secrets context to workflows running from a fork of a public repo (docs).

So, our workflow failed for such pull requests:

This means that contributors that must use a fork of the repo are subject to DockerHub's rate limiting, again.

Describe the solution you'd like
Be able to run a complete end-to-end test without requiring sensitive data.

This could be:

  • ensuring that all referenced images are served from somewhere other than DockerHub.
  • rewriting all container image references that might point to DockerHub to the registry that's already deployed to the local Kubernetes cluster (via minikube).

Anything else you would like to add:
Bonus points if that registry could be deployed with TLS enabled and secured (i.e. fitted with ephemeral credentials).

There's a test that's currently being skipped on the account of the deployed registry not being secure:
https://github.com/vmware-tanzu/carvel-kbld/blob/7c1bb9b04735ce94d3edfe3faa4f4181e51ebbc3/test/e2e/build_kubectl_buildkit_test.go#L58-L64

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.
@pivotaljohn pivotaljohn added enhancement This issue is a feature request carvel triage This issue has not yet been reviewed for validity labels Sep 10, 2021
@pivotaljohn pivotaljohn mentioned this issue Sep 10, 2021
Merged
@pivotaljohn
Copy link
Contributor Author

Note https://ttl.sh/ (ref: https://kubernetes.slack.com/archives/CH8KCCKA5/p1630872310132300)

@aaronshurley
Copy link
Contributor

@pivotaljohn Thanks for creating this issue. I'm marking this as important-soon since we're currently skipping a test and therefore have reduced confidence in our releases.

@aaronshurley aaronshurley added carvel accepted This issue should be considered for future work and that the triage process has been completed priority/important-soon Must be staffed and worked on currently or soon. and removed carvel triage This issue has not yet been reviewed for validity labels Oct 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-soon Must be staffed and worked on currently or soon.
Projects
Carvel
Status: To Triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaronshurley @pivotaljohn