Skip to content

Fix file secrets in debug terminal

What does this MR do?

For Kubernetes and Docker executors, when we create the build containers, we set their environment, which is visible to users who attach to the container with the debug terminal. Previously, debug terminal users would find that the values of file-type secrets were set to the secrets themselves, rather than the path to the file containing the secret value. This MR adjusts those environment variables' values to be the expected path.

There's a caveat in which we used to include all environment variables in the build containers we create for Kubernetes, but now we only include the PublicOrInternal() ones. So the variables you'd see in the debug terminal for a docker job are different than what you'd see for Kubernetes. So customer secrets are actually affected, I only see that CI_SERVER_TLS_CA_FILE is included in my kubernetes container, and it's supposed to be a file-type variable but previously the contents of the file were exposed in the environment.

Why was this MR needed?

It makes the debug terminal environment more closely resemble the build environment.

What's the best way to test this MR?

I was testing this with the debug terminal, but it turns out to be better to start a build running in a container, then exec a shell running interactively in the container, where you can show the environment.

What are the relevant issue numbers?

fixes gitlab#399770 (closed)

Edited by Axel von Bertoldi

Merge request reports