Concourse
set-pipeline leaks credentials in diff
#9476
-
SummaryWhen I have a pipeline like this where the resource is provided via a file: resources:
- name: src
type: git
icon: git
source:
uri: ((git.root))/user/repo.git
private_key: ((git.private_key))
jobs:
- name: set-self
public: true
build_log_retention:
builds: 50
plan:
- get: src
trigger: true
- set_pipeline: self
file: src/pipeline.yamlwhere the credentials are provided by this file: git:
root: git.example.com
private_key: |
...After the Steps to Reproduce
fly -t main set-pipeline \
-p random \
-c pipeline.yaml \
-l credentials.yaml \
-y trigger=trueExpected ResultsNo private keys should show up in the In the example shown here, it seems like using Actual ResultsThe Web Node(s) configurationNo response Worker(s) configurationNo response Concourse Version8.0.2 Browser (if applicable)No response Did this use to work?No response |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Not a bug. The problem you're running into is that you're expecting vars to be tracked as secrets by Concourse. Vars are not marked and tracked as secrets though. There's also another problem here which is after you do The only solution here is to store your secrets in a secrets/credential manager: https://concourse-ci.org/docs/operation/creds/ To hopefully help make things clear, here's a breakdown of what's happening. When you run you So you think Concourse is getting this: resources:
- name: src
type: git
icon: git
source:
uri: ((git.root))/user/repo.git
private_key: ((git.private_key))
jobs:
- name: set-self
public: true
build_log_retention:
builds: 50
plan:
- get: src
trigger: true
- set_pipeline: self
file: src/pipeline.yamland possibly a copy of the vars file. Concourse does not store a copy of the vars file though. What Concourse actually gets and stores in its db is this: resources:
- name: src
type: git
icon: git
source:
uri: git.example.com/user/repo.git
private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
jobs:
- name: set-self
public: true
build_log_retention:
builds: 50
plan:
- get: src
trigger: true
- set_pipeline: self
file: src/pipeline.yamlThen in your Sorry that you're landing in this confusing workflow. I totally see how your assumptions lead you to think it worked differently. I have been having thoughts of maybe including a built-in secrets store for Concourse to simplify smaller deployments like what you're probably running. I don't think that'll happen anytime soon though due to the extra maintenance burden that would bring. I'm trying to be very strict about what new features the project brings in. |
Beta Was this translation helpful? Give feedback.
-
|
I see. I'll setup a secret store to handle secrets instead of using variables. |
Beta Was this translation helpful? Give feedback.
Not a bug. The problem you're running into is that you're expecting vars to be tracked as secrets by Concourse. Vars are not marked and tracked as secrets though.
There's also another problem here which is after you do
fly set-pipeline, the vars are resolved and no longer present in the pipeline. You see the result of this in the diff output fromset_pipelinewhere it tries to replace your resolved var (your private key) with the var names((git)), which then breaks your pipeline.The only solution here is to store your secrets in a secrets/credential manager: https://concourse-ci.org/docs/operation/creds/
and have Concourse fetch them during runtime. Vars fetched in this manner are treat…