Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow volumes to be mounted for all plugin containers #993

Closed
3 tasks done
mfilz opened this issue Jun 19, 2022 · 4 comments · Fixed by #1203
Closed
3 tasks done

Allow volumes to be mounted for all plugin containers #993

mfilz opened this issue Jun 19, 2022 · 4 comments · Fixed by #1203

Comments

@mfilz
Copy link

mfilz commented Jun 19, 2022

Clear and concise description of the problem

I try to use Woodpecker with a non publicly reachable (Gitea) repository. It's using a certificate not verifyable via standard (i.e. included in standard images) CAs. I can mount /etc/ssl/certs into my woodpecker ui/agent containers, but this doesn't help with any plugins - including the one used to clone the repo, which then fails due to an SSL error.

Suggested solution

Allowing to configure a common mount for all plugin containers (maybe optionally RO) would make it possible to provide such system settings/files without requiring an admin to label every single repo as trusted and dealing with the security implications of mounting arbitrary paths via CI YAML.
This might even help with caching as as mentioned in #758 or provide other common resources.

Alternative

  • making all containers trusted and manually configure the clone step with volume mounts - This is terrible for security and quite the hassle on top of it.
  • building custom plugin containers with updated CAs - This will still require every repo to configure a custom clone step and requires building (and keeping up to date) of plugin containers as well as a private registry to those container images.

Additional context

No response

Validations
@Cyb3rDudu
Copy link

I have the same issue in a Kubernetes cluster where I offload ssl at the load balancer.
I can pass the certificate to the agent and the dind container but I didn't find a documentation to pass it to the plugins.
I can workaround with skip_verify in the clone step but having a possibility to pass my ca-cert to the runner would be highly appreciated.

@anbraten
Copy link
Member

@jamu85 You can configure a custom clone step and load the ca via custom_ssl_url: https://woodpecker-ci.org/plugins/plugin-git

@Cyb3rDudu
Copy link

@anbraten I know that I can create the custom clone step. That's how I skip verification. But I would like to have a possibility to pass the certificate to avoid having a custom clone step.
Is there anything similar to DRONE_RUNNER_VOLUME?

@lafriks
Copy link
Contributor

lafriks commented Sep 24, 2022

this would also help not only with git but other container images that does not support providing option like skip verify or anything like that

@lafriks lafriks mentioned this issue Sep 25, 2022
Merged
@smainz smainz mentioned this issue Nov 27, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add option for docker runtime to provide default volumes lafriks-fork/woodpecker
4 participants
@lafriks @anbraten @Cyb3rDudu @mfilz