mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-11-25 11:21:02 +00:00
Remove all default privileged plugins (#4053)
This commit is contained in:
parent
6feab0093f
commit
32d1ec7cec
10 changed files with 22 additions and 28 deletions
|
@ -185,9 +185,12 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
|
||||||
volumes = append(volumes, repoPath+":"+path.Join(workspaceBase, workspacePath))
|
volumes = append(volumes, repoPath+":"+path.Join(workspaceBase, workspacePath))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
privilegedPlugins := c.StringSlice("plugins-privileged")
|
||||||
|
|
||||||
// lint the yaml file
|
// lint the yaml file
|
||||||
err = linter.New(
|
err = linter.New(
|
||||||
linter.WithTrusted(true),
|
linter.WithTrusted(true),
|
||||||
|
linter.PrivilegedPlugins(privilegedPlugins),
|
||||||
linter.WithTrustedClonePlugins(constant.TrustedClonePlugins),
|
linter.WithTrustedClonePlugins(constant.TrustedClonePlugins),
|
||||||
).Lint([]*linter.WorkflowConfig{{
|
).Lint([]*linter.WorkflowConfig{{
|
||||||
File: path.Base(file),
|
File: path.Base(file),
|
||||||
|
@ -205,7 +208,7 @@ func execWithAxis(ctx context.Context, c *cli.Command, file, repoPath string, ax
|
||||||
// compiles the yaml file
|
// compiles the yaml file
|
||||||
compiled, err := compiler.New(
|
compiled, err := compiler.New(
|
||||||
compiler.WithEscalated(
|
compiler.WithEscalated(
|
||||||
c.StringSlice("privileged")...,
|
privilegedPlugins...,
|
||||||
),
|
),
|
||||||
compiler.WithVolumes(volumes...),
|
compiler.WithVolumes(volumes...),
|
||||||
compiler.WithWorkspace(
|
compiler.WithWorkspace(
|
||||||
|
|
|
@ -18,8 +18,6 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/urfave/cli/v3"
|
"github.com/urfave/cli/v3"
|
||||||
|
|
||||||
"go.woodpecker-ci.org/woodpecker/v2/shared/constant"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var flags = []cli.Flag{
|
var flags = []cli.Flag{
|
||||||
|
@ -58,9 +56,9 @@ var flags = []cli.Flag{
|
||||||
Hidden: true,
|
Hidden: true,
|
||||||
},
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Name: "privileged",
|
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
|
||||||
Usage: "privileged plugins",
|
Name: "plugins-privileged",
|
||||||
Value: constant.PrivilegedPlugins,
|
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
Sources: cli.EnvVars("WOODPECKER_BACKEND"),
|
Sources: cli.EnvVars("WOODPECKER_BACKEND"),
|
||||||
|
|
|
@ -37,6 +37,11 @@ var Command = &cli.Command{
|
||||||
ArgsUsage: "[path/to/.woodpecker.yaml]",
|
ArgsUsage: "[path/to/.woodpecker.yaml]",
|
||||||
Action: lint,
|
Action: lint,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
|
&cli.StringSliceFlag{
|
||||||
|
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
|
||||||
|
Name: "plugins-privileged",
|
||||||
|
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
|
||||||
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
|
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
|
||||||
Name: "plugins-trusted-clone",
|
Name: "plugins-trusted-clone",
|
||||||
|
@ -106,6 +111,7 @@ func lintFile(_ context.Context, c *cli.Command, file string) error {
|
||||||
// TODO: lint multiple files at once to allow checks for sth like "depends_on" to work
|
// TODO: lint multiple files at once to allow checks for sth like "depends_on" to work
|
||||||
err = linter.New(
|
err = linter.New(
|
||||||
linter.WithTrusted(true),
|
linter.WithTrusted(true),
|
||||||
|
linter.PrivilegedPlugins(c.StringSlice("plugins-privileged")),
|
||||||
linter.WithTrustedClonePlugins(c.StringSlice("plugins-trusted-clone")),
|
linter.WithTrustedClonePlugins(c.StringSlice("plugins-trusted-clone")),
|
||||||
).Lint([]*linter.WorkflowConfig{config})
|
).Lint([]*linter.WorkflowConfig{config})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -160,10 +160,9 @@ var flags = append([]cli.Flag{
|
||||||
Value: time.Hour * 72,
|
Value: time.Hour * 72,
|
||||||
},
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Sources: cli.EnvVars("WOODPECKER_ESCALATE"),
|
Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
|
||||||
Name: "escalate",
|
Name: "plugins-privileged",
|
||||||
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
|
Usage: "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
|
||||||
Value: constant.PrivilegedPlugins,
|
|
||||||
},
|
},
|
||||||
&cli.StringSliceFlag{
|
&cli.StringSliceFlag{
|
||||||
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
|
Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
|
||||||
|
|
|
@ -224,12 +224,7 @@ func setupEvilGlobals(ctx context.Context, c *cli.Command, s store.Store) error
|
||||||
server.Config.Pipeline.Volumes = c.StringSlice("volume")
|
server.Config.Pipeline.Volumes = c.StringSlice("volume")
|
||||||
server.Config.WebUI.EnableSwagger = c.Bool("enable-swagger")
|
server.Config.WebUI.EnableSwagger = c.Bool("enable-swagger")
|
||||||
server.Config.WebUI.SkipVersionCheck = c.Bool("skip-version-check")
|
server.Config.WebUI.SkipVersionCheck = c.Bool("skip-version-check")
|
||||||
|
server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("plugins-privileged")
|
||||||
// list has default value but should be able to be set to zero
|
|
||||||
server.Config.Pipeline.PrivilegedPlugins = c.StringSlice("escalate")
|
|
||||||
if val, set := os.LookupEnv("WOODPECKER_ESCALATE"); set && val == "" {
|
|
||||||
server.Config.Pipeline.PrivilegedPlugins = []string{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// prometheus
|
// prometheus
|
||||||
server.Config.Prometheus.AuthToken = c.String("prometheus-auth-token")
|
server.Config.Prometheus.AuthToken = c.String("prometheus-auth-token")
|
||||||
|
|
|
@ -348,9 +348,7 @@ Context: when someone does log into Woodpecker, a temporary session token is cre
|
||||||
As long as the session is valid (until it expires or log-out),
|
As long as the session is valid (until it expires or log-out),
|
||||||
a user can log into Woodpecker, without re-authentication.
|
a user can log into Woodpecker, without re-authentication.
|
||||||
|
|
||||||
### `WOODPECKER_ESCALATE`
|
### `WOODPECKER_PLUGINS_PRIVILEGED`
|
||||||
|
|
||||||
> Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)
|
|
||||||
|
|
||||||
Docker images to run in privileged mode. Only change if you are sure what you do!
|
Docker images to run in privileged mode. Only change if you are sure what you do!
|
||||||
|
|
||||||
|
|
|
@ -4,9 +4,10 @@ Some versions need some changes to the server configuration or the pipeline conf
|
||||||
|
|
||||||
## `next`
|
## `next`
|
||||||
|
|
||||||
|
- Rename server environment variable `WOODPECKER_ESCALATE` to `WOODPECKER_PLUGINS_PRIVILEGED`
|
||||||
|
- Remove all default privileged plugins ([re-add plugins to the list via config if needed](./30-administration/10-server-config.md#woodpecker_plugins_privileged)).
|
||||||
- `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
|
- `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
|
||||||
- Check trusted-clone- and privileged-plugins by image name and tag (if tag is set)
|
- Check trusted-clone- and privileged-plugins by image name and tag (if tag is set)
|
||||||
- Remove `plugins/docker`, `plugins/gcr` and `plugins/ecr` from the default list of privileged plugins ([modify the list via config if needed](./30-administration/10-server-config.md#woodpecker_escalate)).
|
|
||||||
- Secret filters for plugins now check against tag if specified
|
- Secret filters for plugins now check against tag if specified
|
||||||
- Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
|
- Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
|
||||||
- Compatibility mode of deprecated `pipeline:`, `platform:` and `branches:` pipeline config options are now removed and pipeline will now fail if still in use.
|
- Compatibility mode of deprecated `pipeline:`, `platform:` and `branches:` pipeline config options are now removed and pipeline will now fail if still in use.
|
||||||
|
|
|
@ -168,8 +168,8 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri
|
||||||
|
|
||||||
func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error {
|
func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error {
|
||||||
// lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918
|
// lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918
|
||||||
if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr") {
|
if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") {
|
||||||
msg := "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead"
|
msg := "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED"
|
||||||
// check first if user did not add them back
|
// check first if user did not add them back
|
||||||
if l.privilegedPlugins != nil && !utils.MatchImage(c.Image, *l.privilegedPlugins...) {
|
if l.privilegedPlugins != nil && !utils.MatchImage(c.Image, *l.privilegedPlugins...) {
|
||||||
return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false)
|
return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false)
|
||||||
|
|
|
@ -171,7 +171,7 @@ func TestLintErrors(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
from: "{steps: { build: { image: plugins/docker, settings: { test: 'true' } } }, when: { branch: main, event: push } } }",
|
from: "{steps: { build: { image: plugins/docker, settings: { test: 'true' } } }, when: { branch: main, event: push } } }",
|
||||||
want: "Cannot use once privileged plugins removed from WOODPECKER_ESCALATE, use 'woodpeckerci/plugin-docker-buildx' instead",
|
want: "Cannot use once by default privileged plugins, if needed add it too WOODPECKER_PLUGINS_PRIVILEGED",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
from: "{steps: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push }, clone: { git: { image: some-other/plugin-git:v1.1.0 } } }",
|
from: "{steps: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push }, clone: { git: { image: some-other/plugin-git:v1.1.0 } } }",
|
||||||
|
|
|
@ -14,12 +14,6 @@
|
||||||
|
|
||||||
package constant
|
package constant
|
||||||
|
|
||||||
// PrivilegedPlugins can be changed by 'WOODPECKER_ESCALATE' at runtime.
|
|
||||||
var PrivilegedPlugins = []string{
|
|
||||||
"docker.io/woodpeckerci/plugin-docker-buildx",
|
|
||||||
"codeberg.org/woodpecker-plugins/docker-buildx",
|
|
||||||
}
|
|
||||||
|
|
||||||
// DefaultConfigOrder represent the priority in witch woodpecker search for a pipeline config by default
|
// DefaultConfigOrder represent the priority in witch woodpecker search for a pipeline config by default
|
||||||
// folders are indicated by supplying a trailing slash.
|
// folders are indicated by supplying a trailing slash.
|
||||||
var DefaultConfigOrder = [...]string{
|
var DefaultConfigOrder = [...]string{
|
||||||
|
|
Loading…
Reference in a new issue