removed GCloud-specific docker registry secret creation#77
removed GCloud-specific docker registry secret creation#77henzigo wants to merge 1 commit intojg/sf-graceful-shutdownfrom
Conversation
henzigo
changed the title
There was a problem hiding this comment.
Pull request overview
Removes the Google Cloud–specific branch for creating the Kubernetes docker registry secret during deploy, standardizing secret creation on the CI registry credentials.
Changes:
- Removed
GCLOUD_DEPLOYconditional logic and always create thedockerregistrysecret using${CI_REGISTRY}+${DEPLOY_REGISTER_USER}/${DEPLOY_REGISTER_PASSWORD}. - Documented the change in the v5.0.0 → v5.1.0 upgrade notes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
deploy/parts/deploy.sh |
Drops GCloud-only secret creation path and unifies docker-registry secret creation. |
UPGRADE.md |
Adds an upgrade note referencing the change. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| else | ||
| runCommand "ERROR" "kubectl create secret docker-registry dockerregistry --docker-server=${CI_REGISTRY} --docker-username=${DEPLOY_REGISTER_USER} --docker-password=${DEPLOY_REGISTER_PASSWORD} -n ${PROJECT_NAME}" | ||
| fi | ||
| runCommand "ERROR" "kubectl create secret docker-registry dockerregistry --docker-server=${CI_REGISTRY} --docker-username=${DEPLOY_REGISTER_USER} --docker-password=${DEPLOY_REGISTER_PASSWORD} -n ${PROJECT_NAME}" |
There was a problem hiding this comment.
CI_REGISTRY is now required for all deployments (the GCloud branch was removed), but it is not validated at the top like the other required env vars. Add assertVariable "CI_REGISTRY" (or otherwise ensure it’s always set) so the script fails early with a clear message rather than running kubectl ... --docker-server=.
| else | ||
| runCommand "ERROR" "kubectl create secret docker-registry dockerregistry --docker-server=${CI_REGISTRY} --docker-username=${DEPLOY_REGISTER_USER} --docker-password=${DEPLOY_REGISTER_PASSWORD} -n ${PROJECT_NAME}" | ||
| fi | ||
| runCommand "ERROR" "kubectl create secret docker-registry dockerregistry --docker-server=${CI_REGISTRY} --docker-username=${DEPLOY_REGISTER_USER} --docker-password=${DEPLOY_REGISTER_PASSWORD} -n ${PROJECT_NAME}" |
There was a problem hiding this comment.
runCommand executes commands via eval (see deploy/functions.sh), but this kubectl create secret command interpolates DEPLOY_REGISTER_USER/DEPLOY_REGISTER_PASSWORD/CI_REGISTRY without shell-escaping. If any value contains spaces/shell metacharacters, the command can break or be exploited. Quote/escape these arguments (or avoid eval for command execution).
| runCommand "ERROR" "kubectl create secret docker-registry dockerregistry --docker-server=${CI_REGISTRY} --docker-username=${DEPLOY_REGISTER_USER} --docker-password=${DEPLOY_REGISTER_PASSWORD} -n ${PROJECT_NAME}" | |
| printf -v ESCAPED_CI_REGISTRY '%q' "${CI_REGISTRY}" | |
| printf -v ESCAPED_DEPLOY_REGISTER_USER '%q' "${DEPLOY_REGISTER_USER}" | |
| printf -v ESCAPED_DEPLOY_REGISTER_PASSWORD '%q' "${DEPLOY_REGISTER_PASSWORD}" | |
| printf -v ESCAPED_PROJECT_NAME '%q' "${PROJECT_NAME}" | |
| runCommand "ERROR" "kubectl create secret docker-registry dockerregistry --docker-server=${ESCAPED_CI_REGISTRY} --docker-username=${ESCAPED_DEPLOY_REGISTER_USER} --docker-password=${ESCAPED_DEPLOY_REGISTER_PASSWORD} -n ${ESCAPED_PROJECT_NAME}" |
No description provided.