mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-06 06:46:26 +01:00
52 lines
1.5 KiB
Plaintext
52 lines
1.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/container_security/security-build.adoc
|
|
|
|
[id="security-build-inputs_{context}"]
|
|
= Securing inputs during builds
|
|
|
|
In some scenarios, build operations require credentials to access dependent
|
|
resources, but it is undesirable for those credentials to be available in the
|
|
final application image produced by the build. You can define input secrets for
|
|
this purpose.
|
|
|
|
For example, when building a Node.js application, you can set up your private
|
|
mirror for Node.js modules. In order to download modules from that private
|
|
mirror, you must supply a custom `.npmrc` file for the build that contains
|
|
a URL, user name, and password. For security reasons, you do not want to expose
|
|
your credentials in the application image.
|
|
|
|
Using this example scenario, you can add an input secret to a new `BuildConfig`:
|
|
|
|
. Create the secret, if it does not exist:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create secret generic secret-npmrc --from-file=.npmrc=~/.npmrc
|
|
----
|
|
+
|
|
This creates a new secret named `secret-npmrc`, which contains the base64
|
|
encoded content of the `~/.npmrc` file.
|
|
|
|
. Add the secret to the `source` section in the existing `BuildConfig`:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
source:
|
|
git:
|
|
uri: https://github.com/sclorg/nodejs-ex.git
|
|
secrets:
|
|
- destinationDir: .
|
|
secret:
|
|
name: secret-npmrc
|
|
----
|
|
|
|
. To include the secret in a new `BuildConfig`, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc new-build \
|
|
openshift/nodejs-010-centos7~https://github.com/sclorg/nodejs-ex.git \
|
|
--build-secret secret-npmrc
|
|
----
|