Get Proxy Exec working with Kubernetes
In 17.10, we introduced an experimental proxy_exec config option.
When proxy_exec is enabled:
- All helper container commands are wrapped with
runner-helper proxy_exec - When
proxy_execis executed, it ensures a copy of therunner-helperis present in the build directory's temp directory. - All build container commands are then also wrapped with
runner-helper proxy_exec, using the copiedrunner-helperbinary (that is now present in the build directory, and there accessible from the build container).
This work was done in: Add proxy shell execution (!5361 - merged)
The reason this exists is to support add-mask functionality, where the job can echo out secrets and instruct the proxy_exec proxy to mask them. All stdout/stderr streams are then monitored for the secret phrases and are replaced with [MASKED]. This work was done in: Add add-mask functionality to proxy-exec (!5401 - merged)
The best way to test this functionality was to temporary enable it for a pipeline by default and see if the integration tests worked. However, this couldn't be done with Kubernetes because Kubernetes was unable to use unreleased changes to the helper binary. Now that the changes have been merged, we should be able to:
- Run a pipeline with
proxy_execenabled by default, and see how Kubernetes integration tests react. - Fix anything broken.
Because Kubernetes handles a lot of its own shell script logic, there's probably a few changes needed to ensure everything gets wrapped with proxy_exec.