Skip to content

Commit 68c3fae

Browse files
committed
systemd/crc-pullsecret.sh: don't leak the pull secrets
1 parent 749e92d commit 68c3fae

1 file changed

Lines changed: 17 additions & 4 deletions

File tree

systemd/crc-pullsecret.sh

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,33 @@
11
#!/bin/bash
22

3+
set -o pipefail
4+
set -o errexit
5+
set -o nounset
6+
set -o errtrace
37
set -x
48

59
source /usr/local/bin/crc-systemd-common.sh
610
export KUBECONFIG="/opt/kubeconfig"
711

812
wait_for_resource secret
913

14+
set +x # disable the logging to avoid leaking the pull secrets
15+
1016
# check if existing pull-secret is valid if not add the one from /opt/crc/pull-secret
1117
existingPsB64=$(oc get secret pull-secret -n openshift-config -o jsonpath="{['data']['\.dockerconfigjson']}")
1218
existingPs=$(echo "${existingPsB64}" | base64 -d)
1319

14-
echo "${existingPs}" | jq -e '.auths'
20+
# check if the .auths field is there
21+
echo "${existingPs}" | jq -e '.auths' > /dev/null
22+
has_auths_field=$?
1523

16-
if [[ $? != 0 ]]; then
17-
pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
18-
oc patch secret pull-secret -n openshift-config --type merge -p "{\"data\":{\".dockerconfigjson\":\"${pullSecretB64}\"}}"
24+
if [[ $has_auths_field == 0 ]]; then
25+
echo "Cluster already has the pull secrets, nothing to do"
26+
exit 0
1927
fi
2028

29+
echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
30+
pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
31+
oc patch secret pull-secret -n openshift-config --type merge -p "{\"data\":{\".dockerconfigjson\":\"${pullSecretB64}\"}}"
32+
33+
exit 0

0 commit comments

Comments
 (0)