mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
48 lines
1.6 KiB
Plaintext
48 lines
1.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/container_security/security-build.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="security-build-inputs_{context}"]
|
|
= Securing inputs during builds
|
|
|
|
In some scenarios, build operations require credentials to access dependent resources, but it is undesirable for those credentials to be available in the final application image produced by the build. You can define input secrets for this purpose.
|
|
|
|
For example, when building a Node.js application, you can set up your private mirror for Node.js modules. To download modules from that private mirror, you must supply a custom `.npmrc` file for the build that contains
|
|
a URL, user name, and password. For security reasons, you do not want to expose your credentials in the application image.
|
|
|
|
Using this example scenario, you can add an input secret to a new `BuildConfig` object.
|
|
|
|
.Procedure
|
|
|
|
. Create the secret, if it does not exist:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create secret generic secret-npmrc --from-file=.npmrc=~/.npmrc
|
|
----
|
|
+
|
|
This creates a new secret named `secret-npmrc`, which contains the base64 encoded content of the `~/.npmrc` file.
|
|
|
|
. Add the secret to the `source` section in the existing `BuildConfig` object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
source:
|
|
git:
|
|
uri: https://github.com/sclorg/nodejs-ex.git
|
|
secrets:
|
|
- destinationDir: .
|
|
secret:
|
|
name: secret-npmrc
|
|
----
|
|
|
|
. To include the secret in a new `BuildConfig` object, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc new-build \
|
|
openshift/nodejs-010-centos7~https://github.com/sclorg/nodejs-ex.git \
|
|
--build-secret secret-npmrc
|
|
----
|