fix(charts): builder needs access to private-registry secrets

teamhephy / builder

MIT License

3 stars 12 forks source link

fix(charts): builder needs access to private-registry secrets #42

Closed Cryptophobia closed 6 years ago

Cryptophobia commented 6 years ago

The deis-builder needs to have access to the private-registry secrets when using off-cluster registries.

Right now, the breaking error is when using ECR as the private-registry:

error getting private registry details secrets "private-registry-ecr" is forbidden: User "system:serviceaccount:deis:deis-builder" cannot get secrets in the namespace "slack"

Cryptophobia commented 6 years ago

This seems a little flawed in the design, but I guess the benefit is that you can use a different registry per application. You could potentially use a Google, ECR, or whatever registry you like...as long as the credentials are encoded in the private-registry secret defined for each app...

But the deis-builder needs to be able to pull the private-registry secrets and this makes deis-builder have excessive permissions in my opinion.

Cryptophobia commented 6 years ago

Merged!