fix: mount secrets into a non workspace dir to avoid checking out cod…

…e into the same dir and accidentily commiting keys
jenkins-x · Sep 11, 2019 · 551d496 · 551d496
1 parent e6a26ad
commit 551d496
Show file tree

Hide file tree

Showing 5 changed files with 124 additions and 1 deletion.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,7 @@
+repos:
+- repo: [email protected]:Yelp/detect-secrets
+  rev: v0.12.4
+  hooks:
+    - id: detect-secrets
+      args: ['--baseline', '.secrets.baseline']
+      exclude: .*/tests/.*
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,89 @@
+{
+  "exclude": {
+    "files": null,
+    "lines": null
+  },
+  "generated_at": "2019-09-11T09:31:17Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "StripeDetector"
+    }
+  ],
+  "results": {
+    "bdd/bdd.sh": [
+      {
+        "hashed_secret": "8ed71d19964ae8169396605379dc4f65ff292fe2",
+        "is_secret": false,
+        "line_number": 40,
+        "type": "Secret Keyword"
+      }
+    ],
+    "env/jenkins-x-platform/values.tmpl.yaml": [
+      {
+        "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5",
+        "is_secret": false,
+        "line_number": 20,
+        "type": "Secret Keyword"
+      }
+    ],
+    "env/jxboot-resources/values.tmpl.yaml": [
+      {
+        "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5",
+        "is_secret": false,
+        "line_number": 143,
+        "type": "Secret Keyword"
+      }
+    ],
+    "env/tekton/values.tmpl.yaml": [
+      {
+        "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5",
+        "is_secret": false,
+        "line_number": 21,
+        "type": "Secret Keyword"
+      }
+    ],
+    "kubeProviders/iks/README.md": [
+      {
+        "hashed_secret": "aa5c16139fb7160196bad6d4a1ae97b677ff0d81",
+        "is_secret": false,
+        "line_number": 198,
+        "type": "Secret Keyword"
+      }
+    ],
+    "systems/external-dns/values.tmpl.yaml": [
+      {
+        "hashed_secret": "8aa3771c4ae26feb2df06246de60d7620aad7bb7",
+        "is_secret": false,
+        "line_number": 7,
+        "type": "Secret Keyword"
+      }
+    ]
+  },
+  "version": "0.12.4"
+}
diff --git a/bdd/bdd.sh b/bdd/bdd.sh
@@ -15,7 +15,6 @@ export GH_OWNER="cb-kubecd"
 
 export GH_CREDS_PSW="$(jx step credential -s jenkins-x-bot-test-github)"
 export JENKINS_CREDS_PSW="$(jx step credential -s  test-jenkins-user)"
-export GKE_SA="$(jx step credential -k bdd-credentials.json -s bdd-secret -f sa.json)"
 
 # fix broken `BUILD_NUMBER` env var
 export BUILD_NUMBER="$BUILD_ID"

diff --git a/jenkins-x-bdd-local.yml b/jenkins-x-bdd-local.yml
@@ -15,10 +15,24 @@ pipelineConfig:
         environment:
           - name: GOPROXY
             value: http://jenkins-x-athens-proxy:80
+          - name: GKE_SA
+            value: /secrets/bdd/sa.json
         agent:
           image: gcr.io/jenkinsxio/builder-go-maven
         stages:
           - name: ci
+            options:
+              volumes:
+                - name: sa
+                  secret:
+                    secretName: bdd-secret
+                    items:
+                      - key: bdd-credentials.json
+                        path: bdd/sa.json
+              containerOptions:
+                volumeMounts:
+                  - mountPath: /secrets
+                    name: sa
             steps:
               - name: run-bdd
                 command: bdd/bdd.sh

diff --git a/jenkins-x-bdd-vault.yml b/jenkins-x-bdd-vault.yml
@@ -21,10 +21,24 @@ pipelineConfig:
             value: "boot"
           - name: DOMAIN_SUFFIX
             value: ".bdd.jenkins-x.rocks"
+          - name: GKE_SA
+            value: /secrets/bdd/sa.json
         agent:
           image: gcr.io/jenkinsxio/builder-go-maven
         stages:
           - name: ci
+            options:
+              volumes:
+                - name: sa
+                  secret:
+                    secretName: bdd-secret
+                    items:
+                      - key: bdd-credentials.json
+                        path: bdd/sa.json
+              containerOptions:
+                volumeMounts:
+                  - mountPath: /secrets
+                    name: sa
             steps:
               - name: run-bdd
                 command: bdd/bdd.sh