woodpecker icon indicating copy to clipboard operation
woodpecker copied to clipboard

Published 20 hours ago verified publisher icon woodpecker-ci

Allow volumes to be mounted for all plugin containers

Open mfilz opened this issue 2 years ago • 3 comments

Clear and concise description of the problem

I try to use Woodpecker with a non publicly reachable (Gitea) repository. It's using a certificate not verifyable via standard (i.e. included in standard images) CAs. I can mount /etc/ssl/certs into my woodpecker ui/agent containers, but this doesn't help with any plugins - including the one used to clone the repo, which then fails due to an SSL error.

Suggested solution

Allowing to configure a common mount for all plugin containers (maybe optionally RO) would make it possible to provide such system settings/files without requiring an admin to label every single repo as trusted and dealing with the security implications of mounting arbitrary paths via CI YAML. This might even help with caching as as mentioned in #758 or provide other common resources.

Alternative

  • making all containers trusted and manually configure the clone step with volume mounts - This is terrible for security and quite the hassle on top of it.
  • building custom plugin containers with updated CAs - This will still require every repo to configure a custom clone step and requires building (and keeping up to date) of plugin containers as well as a private registry to those container images.

Additional context

No response

Validations

  • [X] Read the Contributing Guidelines.
  • [X] Read the docs.
  • [X] Check that there isn't already an issue that request the same feature to avoid creating a duplicate.

mfilz avatar Jun 19 '22 13:06 mfilz

I have the same issue in a Kubernetes cluster where I offload ssl at the load balancer. I can pass the certificate to the agent and the dind container but I didn't find a documentation to pass it to the plugins. I can workaround with skip_verify in the clone step but having a possibility to pass my ca-cert to the runner would be highly appreciated.

Cyb3rDudu avatar Aug 18 '22 06:08 Cyb3rDudu

@jamu85 You can configure a custom clone step and load the ca via custom_ssl_url: https://woodpecker-ci.org/plugins/plugin-git

anbraten avatar Aug 18 '22 06:08 anbraten

@anbraten I know that I can create the custom clone step. That's how I skip verification. But I would like to have a possibility to pass the certificate to avoid having a custom clone step. Is there anything similar to DRONE_RUNNER_VOLUME?

Cyb3rDudu avatar Aug 18 '22 07:08 Cyb3rDudu

this would also help not only with git but other container images that does not support providing option like skip verify or anything like that

lafriks avatar Sep 24 '22 22:09 lafriks