Hello there !
I wonder about a specific topic because I would like to integrate some mender management api in my continuous integration tests in GitHub/GitLab. My concern is about keeping the authentication material private, eg username/password or token that permit interaction with the api.
Difficulty: when accepting external contributions, anyone is able, through the CI to print environment variables or dump configuration or binary files in the shell, which mean they can access the secrets if not properly hidden.
I have imagined several things but at the moment I keep the followings:
- using mender-cli in an external docker, with JSON configuration file mounted as a volume. But how to give access mender-cli without exposing the configuration file ? (As an additional note mender-cli doesn’t provide all api, but this is only current status and can change)
- creating a specific service in a docker or other physical machine, that is invoked let say using http or TCP socket to execute commands on the mender api, and implemented such a way the secrets can t be returned to the executor. Of course all other access point closed, particularly ssh etc.
Mender-cli is designed to be used in CI. Anyone succeeded to solve this issue to not expose secrets ?
Anyone tried to do something looking like the second solution ? I will be pleased to contribute if something public has started. I imagine simple php pages or a service written in C or … Plenty of ideas
If you are also interested by this topic, write to indicate your interest. I m already thinking if I dont find an existing and simple solution I will start a public work on that and share it on my GitHub:-D
Edit: other option is to require review and approval of pull requests from the external contributions to execute the CI each time it is updated. Should work for most cases probably, relies on seriousness of reviewers.
But what is engineering if not trying to find other nice solution to a problem ?