kube backend: prevent secrets from leaking to Kubernetes apiserver logs (#5196)

2025-11-23 21:44:44 +02:00 · 2025-06-14 23:44:33 +03:00
parent d5537e6fa5
commit 5e052f5579
9 changed files with 297 additions and 15 deletions
--- a/pipeline/frontend/yaml/compiler/compiler_test.go
+++ b/pipeline/frontend/yaml/compiler/compiler_test.go
@@ -317,6 +317,124 @@ func TestCompilerCompile(t *testing.T) {
 						assert.Truef(t, s.Environment["VERBOSE"] == "true", "expected to get value of global set environment")
 						assert.Truef(t, len(s.Environment) > 10, "expected to have a lot of built-in variables")
 						s.Environment = nil
+						s.SecretMapping = nil
+					}
+				}
+				// check if we get an expected backend config based on a frontend config
+				assert.EqualValues(t, *test.backConf, *backConf)
+			}
+		})
+	}
+}
+
+func TestCompilerCompileWithFromSecret(t *testing.T) {
+	repoURL := "https://github.com/octocat/hello-world"
+	compiler := New(
+		WithMetadata(metadata.Metadata{
+			Repo: metadata.Repo{
+				Owner:    "octacat",
+				Name:     "hello-world",
+				Private:  true,
+				ForgeURL: repoURL,
+				CloneURL: "https://github.com/octocat/hello-world.git",
+			},
+		}),
+		WithEnviron(map[string]string{
+			"VERBOSE": "true",
+			"COLORED": "true",
+		}),
+		WithSecret(Secret{
+			Name:  "secret_name",
+			Value: "VERY_SECRET",
+		}),
+		WithPrefix("test"),
+		// we use "/test" as custom workspace base to ensure the enforcement of the pluginWorkspaceBase is applied
+		WithWorkspaceFromURL("/test", repoURL),
+	)
+	defaultNetwork := &backend_types.Network{
+		Name: "test_default",
+	}
+	defaultVolume := &backend_types.Volume{
+		Name: "test_default",
+	}
+	defaultCloneStage := &backend_types.Stage{
+		Steps: []*backend_types.Step{{
+			Name:          "clone",
+			Type:          backend_types.StepTypeClone,
+			Image:         constant.DefaultClonePlugin,
+			OnSuccess:     true,
+			Failure:       "fail",
+			WorkingDir:    "/woodpecker/src/github.com/octocat/hello-world",
+			WorkspaceBase: "/woodpecker",
+			Volumes:       []string{defaultVolume.Name + ":/woodpecker"},
+			Networks:      []backend_types.Conn{{Name: "test_default", Aliases: []string{"clone"}}},
+			ExtraHosts:    []backend_types.HostAlias{},
+		}},
+	}
+	tests := []struct {
+		name        string
+		fronConf    *yaml_types.Workflow
+		backConf    *backend_types.Config
+		expectedErr string
+	}{
+		{
+			name: "workflow with missing secret",
+			fronConf: &yaml_types.Workflow{Steps: yaml_types.ContainerList{ContainerList: []*yaml_types.Container{{
+				Name:     "step",
+				Image:    "bash",
+				Commands: []string{"env"},
+				Environment: yaml_base_types.EnvironmentMap{
+					"SECRET": map[string]any{"from_secret": "secret_name"},
+				},
+			}}}},
+			backConf: &backend_types.Config{
+				Stages: []*backend_types.Stage{defaultCloneStage, {
+					Steps: []*backend_types.Step{{
+						Name:          "step",
+						Type:          backend_types.StepTypeCommands,
+						Image:         "bash",
+						Commands:      []string{"env"},
+						OnSuccess:     true,
+						Failure:       "fail",
+						WorkingDir:    "/test/src/github.com/octocat/hello-world",
+						WorkspaceBase: "/test",
+						Volumes:       []string{defaultVolume.Name + ":/test"},
+						Networks:      []backend_types.Conn{{Name: "test_default", Aliases: []string{"step"}}},
+						ExtraHosts:    []backend_types.HostAlias{},
+						SecretMapping: map[string]string{
+							"SECRET": "VERY_SECRET",
+						},
+					}},
+				}},
+				Volume:  defaultVolume,
+				Network: defaultNetwork,
+				Secrets: []*backend_types.Secret{{
+					Name:  "secret_name",
+					Value: "VERY_SECRET",
+				}},
+			},
+			expectedErr: "",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			backConf, err := compiler.Compile(test.fronConf)
+			if test.expectedErr != "" {
+				assert.Error(t, err)
+				assert.Equal(t, test.expectedErr, err.Error())
+			} else {
+				// we ignore uuids in steps and only check if global env got set ...
+				for _, st := range backConf.Stages {
+					for _, s := range st.Steps {
+						s.UUID = ""
+						assert.Truef(t, s.Environment["VERBOSE"] == "true", "expected to get value of global set environment")
+						assert.Truef(t, len(s.Environment) > 10, "expected to have a lot of built-in variables")
+						s.Environment = nil
+
+						if len(s.SecretMapping) == 0 {
+							s.SecretMapping = nil
+						}
 					}
 				}
 				// check if we get an expected backend config based on a frontend config