fix: introduce per-job cert volume with %gcl% token#1877
Open
ticapix wants to merge 1 commit into
Open
Conversation
Jobs using docker:dind as a service share TLS client certificates via a named volume. The previous approach relied on a static volume name (e.g. `certs`) configured in .gitlab-ci-local-env, which caused race conditions when concurrent jobs wrote to and cleaned up the same volume. A new `%gcl%:` prefix in VOLUME entries is now resolved at runtime to a per-job unique volume name (`gcl-<job>-<id>-cert`), matching the naming pattern of the existing build/tmp volumes. The `%gcl%` token was chosen because Docker hard-rejects it if it ever reaches the daemon unsubstituted (invalid volume name character), rather than silently bind-mounting an unintended host path. Changes: - get certVolumeName() getter returning a per-job unique name - Cert volume is created and registered for cleanup alongside build/tmp volumes when any %gcl%: entry is present in argv.volume - %gcl%: prefix is resolved to certVolumeName in both the job container and service container volume loops
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello,
This addresses #918
Jobs using docker:dind as a service share TLS client certificates via a named volume. The previous approach relied on a static volume name (e.g.
certs) configured in.gitlab-ci-local-env, which caused race conditions when concurrent jobs wrote to and cleaned up the same volume, each dind service writing its own certificates.A new
%gcl-cert%:prefix in VOLUME entries is now resolved at runtime to a per-job unique volume name (gcl-<job>-<id>-cert), matching the naming pattern of the existing build/tmp volumes.The
%gcl-cert%token was chosen because Docker hard-rejects it if it ever reaches the daemon unsubstituted (invalid volume name character), rather than silently bind-mounting an unintended host path.Changes:
I'm not sure how to add a test.
I used this config to test the implementation
The
.gitlab-ci-local-envlooks likeSummary by cubic
Adds a per-job cert volume for Docker-in-Docker by introducing a
%gcl-cert%:volume token. This prevents cross-job TLS cert races and cleanup conflicts when jobs run in parallel.Bug Fixes
certVolumeName(gcl-<job>-<id>-cert) when anyargv.volumestarts with%gcl-cert%:, matching build/tmp naming.%gcl-cert%:at runtime for job and service--volumeflags so the token never reaches Docker, avoiding accidental host bind mounts.Migration
certs:/certs/clientwith%gcl-cert%:/certs/clientto enable per-job isolation.Written for commit e3fcf9a. Summary will update on new commits.