Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOM-47678] Add support for passing buildkit secrets via k8s secrets #106

Merged
merged 2 commits into from
Jul 6, 2023
Merged

[DOM-47678] Add support for passing buildkit secrets via k8s secrets #106

merged 2 commits into from
Jul 6, 2023

Conversation

ddl-ebrown
Copy link
Contributor

@ddl-ebrown ddl-ebrown commented Jun 30, 2023
edited
Loading

  • Adds the ability to pass k8s secret names by namespace / name to be
    consumed by the ImageBuild request using buildkit secrets. The
    secrets field is added to the CR as optional, and is fully
    backwards compatible with previous requests.

    Previously, the Helm chart supported exposing service level secrets
    into all builds, but this adds supports on a per request basis.

    Buildkit secrets must be mounted in via Dockerfile syntax:
    https://docs.docker.com/engine/reference/builder/#run---mounttypesecret

    Consumption via Dockerfile is therefore similar to:

    RUN --mount=type=secret,id=domino-compute/mysecret/foo cat /run/secrets/foo

  • For the secret to be accessible by Hephaestus, it must have the
    label hephaestus-accessible: "true". This prevents the build
    service from having access to arbitrary secrets in the cluster and
    requires clients to specifically opt-in.

  • Additionally the hephaestus-owned: "true" label can be added to
    secrets to help manage their lifecycle. When set, the secret will be
    updated to specify the attached ImageBuild as the owner -- when
    ImageBuild resources are routinely purged by the service, those
    secrets will be cleaned up at the same time. This removes the burden
    of secret cleanup from clients, but changes the cleanup timing to be
    non-determinstic.

    The ClusterRole for Hephaestus is updated to allow for secret
    resource updates to support this feature.

TODO:

  • make sure zz_generated.openapi.go and swagger.json is properly updated - make sdks should do this, but it doesn't appear to be... something in the repo tooling seems broken
  • get tests in where there's already established testing
  • figure out how to correctly control secret ownership ... it looks like setting ownerReferences on secrets is possible and is technically considered resource "adoption", but the code doesn't appear to be working. (See related issue on Added certificate owner ref field cert-manager/cert-manager#5158)
  • Remove test commit hack 42505d9 from PR

Verify with tests

  • change is fully backwards compatible (i.e. old clients without secrets work against new server that supports it)
  • secrets referenced in an ImageBuild are correctly pulled (hacked server)
  • secrets referenced in an ImageBuild are correctly pulled
  • secrets without correct hephaestus-accessible label cannot be read (generates a build error)
  • secrets with hephaestus-owned have ownership set so that they're attached to ImageBuild and deleted upon delete of ImageBuild resources
  • missing secrets fail -- while this is true, there's no error response in the environment builder... it just dies with no logs (because the hephaestus manager encounters an error)

Described in https://docs.google.com/document/d/1LXl0aUKAZk9jpnKKGZZxrw3VFRxjAdLqa2WZriSj6Fc/edit as Add support to Hephaestus for buildkit secrets (see alternative approach in #101)

Triggering an environment build (existing code without this PR)

Mounting secrets in a Dockerfile usage should be documented in https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/reference.md#run---mounttypesecret

Without the changes in this PR, the following already works in a Dockerfile because ca-certificates.crt is already mounted automatically

RUN --mount=type=secret,id=ca-certificates.crt cat /run/secrets/ca-certificates.crt

The installation of Hephaestus could be modified to add another secret via the Helm chart values like:

controller:
  manager:
    secrets:
      # must be a file path
      GlobalSecret: "/certs/ca-certificates.crt"

The GlobalSecret reference simply adds another name for the existing embedded secret file.

Triggering a build that consumes a referenced k8s secret

Installation in existing cluster

helm upgrade hephaestus oci://ghcr.io/dominodatalab/helm/hephaestus --version 0.0.0-pr-106 --debug --namespace domino-compute --values values.yaml --reuse-values

Given configuration like

controller:
  manager:
    image:
      registry: ghcr.io
      repository: dominodatalab/hephaestus
      pullPolicy: Always
      tag: "pr-106"
    secrets:
      # must be a file path
      GlobalSecret: "/certs/ca-certificates.crt"

Add a secret to the cluster like this, making sure it has the label hephaestus-access: "true" so that it can be accessed:

apiVersion: v1
kind: Secret
metadata:
  name: ethan-test-hephaestus
  # NOTE: must be the same namespace as Hephaestus for hephaestus-owned to work
  namespace: domino-compute
  labels:
    hephaestus-accessible: "true"
    # NOTE: for hephaestus-owned to work, secret must be in domino-compute
    # hephaestus-owned: "true"
type: Opaque
stringData:
  foo: "test of foo.bar"
  foo.multiline: |
    multiline
    test
    check check

Initial Validation

The code at cfdf3b3 has been temporarily modified to always inject a reference to this secret into the incoming ImageBuild specification to make testing easier

# NOTE: mounting in a complete path only captures the filename by default into /run/secrets/
RUN --mount=type=secret,id=domino-platform/ethan-test-hephaestus/foo.multiline cat /run/secrets/foo.multiline
RUN --mount=type=secret,id=domino-platform/ethan-test-hephaestus/foo cat /run/secrets/foo

# NOTE: this syntax mounts an existing secret to a new path
RUN --mount=type=secret,id=domino-platform/ethan-test-hephaestus/foo,target=/run/secrets/bar ls -RrtaFl /run/secrets && cat /run/secrets/bar

Build output available at https://mldemo4507.train-sandbox.domino.tech/environments/649f7bbcbb2e9b737895a60d/revisions/64a31bf0bb2e9b737895a63a/build/64a31bf0bb2e9b737895a63c/logs demonstrates the secrets are accessible

Jul 03 2023 12:05:20 -0700 | Validating registry credentials |   |   |  
-- | -- | -- | -- | --
Jul 03 2023 12:05:21 -0700 | Leasing buildkit worker |   |   |  
Jul 03 2023 12:05:21 -0700 | Confirming buildkitd connectivity |   |   |  
Jul 03 2023 12:05:21 -0700 | Buildkitd connectivity established |   |   |  
Jul 03 2023 12:05:21 -0700 | Fetching remote context |   |   |  
Jul 03 2023 12:05:21 -0700 | #1 [internal] load build definition from Dockerfile |   |   |  
Jul 03 2023 12:05:21 -0700 | #1 transferring dockerfile: 1.29kB done |   |   |  
Jul 03 2023 12:05:21 -0700 | #1 DONE 0.0s |   |   |  
Jul 03 2023 12:05:21 -0700 |   |   |   |  
Jul 03 2023 12:05:21 -0700 | #2 [internal] load .dockerignore |   |   |  
Jul 03 2023 12:05:21 -0700 | #2 transferring context: 2B done |   |   |  
Jul 03 2023 12:05:21 -0700 | #2 DONE 0.0s |   |   |  
Jul 03 2023 12:05:21 -0700 |   |   |   |  
Jul 03 2023 12:05:21 -0700 | #3 [internal] load metadata for docker.io/library/alpine:latest |   |   |  
Jul 03 2023 12:05:22 -0700 | #3 DONE 0.5s |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #4 [internal] load build context |   |   |  
Jul 03 2023 12:05:22 -0700 | #4 transferring context: 201B done |   |   |  
Jul 03 2023 12:05:22 -0700 | #4 DONE 0.0s |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #5 [stage-0 1/6] FROM docker.io/library/alpine:latest@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 |   |   |  
Jul 03 2023 12:05:22 -0700 | #5 resolve docker.io/library/alpine:latest@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 0.0s done |   |   |  
Jul 03 2023 12:05:22 -0700 | #5 CACHED |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #6 [stage-0 2/6] RUN --mount=type=secret,id=domino-platform/ethan-test-hephaestus/foo.multiline cat /run/secrets/foo.multiline |   |   |  
Jul 03 2023 12:05:22 -0700 | #0 0.092 multiline |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #0 0.092 test |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #0 0.092 check check |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #6 DONE 0.1s |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #7 [stage-0 3/6] RUN --mount=type=secret,id=domino-platform/ethan-test-hephaestus/foo cat /run/secrets/foo |   |   |  
Jul 03 2023 12:05:22 -0700 | #0 0.079 test of foo.bar |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #7 DONE 0.1s |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #8 [stage-0 4/6] RUN --mount=type=secret,id=domino-platform/ethan-test-hephaestus/foo,target=/run/secrets/bar ls -RrtaFl /run/secrets && cat /run/secrets/bar |   |   |  
Jul 03 2023 12:05:22 -0700 | #0 0.081 /run/secrets: |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #8 0.081 total 12 |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #8 0.081 -r--------    1 root     root            15 Jul  3 19:05 bar |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #8 0.081 drwxr-xr-x    1 root     root          4096 Jul  3 19:05 ../ |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #8 0.081 drwxr-xr-x    2 root     root          4096 Jul  3 19:05 ./ |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #8 0.081 test of foo.bar |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #8 DONE 0.1s |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #9 [stage-0 5/6] RUN echo "Main Dockerfile finished" |   |   |  
Jul 03 2023 12:05:22 -0700 | #0 0.074 Main Dockerfile finished |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #9 DONE 0.1s |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #10 [stage-0 6/6] ADD files / |   |   |  
Jul 03 2023 12:05:22 -0700 | #10 DONE 0.0s |   |   |  
Jul 03 2023 12:05:22 -0700 |   |   |   |  
Jul 03 2023 12:05:22 -0700 | #11 exporting to image |   |   |  
Jul 03 2023 12:05:22 -0700 | #11 exporting layers |   |   |  
Jul 03 2023 12:05:22 -0700 | #11 exporting layers 0.2s done |   |   |  
Jul 03 2023 12:05:22 -0700 | #11 exporting manifest sha256:58ba531b0cfff6dd14541776d6a8ea52948d98724547cff4b706fa7ba796415a 0.0s done |   |   |  
Jul 03 2023 12:05:22 -0700 | #11 exporting config sha256:4d597f8902d4ae61cf89d7bc991320a358baabc237e0ebb609cd20bbcdf3007a done |   |   |  
Jul 03 2023 12:05:22 -0700 | #11 pushing layers |   |   |  
Jul 03 2023 12:05:24 -0700 | #11 pushing layers 1.8s done |   |   |  
Jul 03 2023 12:05:24 -0700 | #11 pushing manifest for 172.20.88.105:5000/dominodatalab/environment:649f7bbcbb2e9b737895a60d-16@sha256:58ba531b0cfff6dd14541776d6a8ea52948d98724547cff4b706fa7ba796415a |   |   |  
Jul 03 2023 12:05:25 -0700 | Solve complete |   |   |  
Jul 03 2023 12:05:25 -0700 | #11 pushing manifest for 172.20.88.105:5000/dominodatalab/environment:649f7bbcbb2e9b737895a60d-16@sha256:58ba531b0cfff6dd14541776d6a8ea52948d98724547cff4b706fa7ba796415a 0.8s done |   |   |  
Jul 03 2023 12:05:25 -0700 | #11 DONE 2.7s

Subsequent Validation

I was trying to get the functional tests going to valid this in automation, but it looks like that's going to be pretty hard to do at the moment since they're not working

I was able to pull a little trick with the Dockerfile from that attempt to pull the images like so, given Github is hosting the archive.tgz used for the context in a commit at https://github.com/dominodatalab/hephaestus/raw/51585793939ab0de611bea74ab14e29d846b2070/test/functional/testdata/docker-context/secrets/archive.tgz

Given secret.yaml like

apiVersion: v1
kind: Secret
metadata:
  name: foo
  # TODO: must be the same namespace as Hephaestus for hephaestus-owned to work
  namespace: domino-compute
  labels:
    hephaestus-accessible: "true"
    # NOTE: for hephaestus-owned to work, secret must be in domino-compute
    hephaestus-owned: "true"
type: Opaque
stringData:
  bar: "test of foo.bar"

And an image definition to apply like so (based on a previous environment build in my cluster)

apiVersion: hephaestus.dominodatalab.com/v1
kind: ImageBuild
metadata:
  name: secrets-test
  namespace: domino-compute
spec:
  amqpOverrides:
    queueName: hephaestus.imagebuilds.status
  buildArgs:
  - REPOCLONER_MAX_CONNECTIONS=20
  - REPOCLONER_JAVA_CLASSPATH_FILE=/app/domino/repocloner/repocloner_image.classpath
  - REPOCLONER_SUPERUSER_API_KEY=<redacted>
  - REPOCLONER_JAVA_OPTS=-Xss256m -Xmx1g
  - REPOCLONER_CONNECT_TIMEOUT_SEC=120
  - REPOCLONER_JAVA_MAIN_CLASS=domino.repocloner.RepoClonerApp
  - REPOCLONER_SUPERUSER_USERNAME=domino-superuser
  - REPOCLONER_BLOB_API_HOST=http://nucleus-frontend.domino-platform:80
  - REPOCLONER_BLOB_SYNCHRONIZATION_RETRY_COUNT=2
  - REPOCLONER_IMAGE_DEFINITION_URL=http://nucleus-frontend.domino-platform:80/v1/builds/64a58393bb2e9b737895a66f/imageDefinition
  - REPOCLONER_MAX_CONNECTIONS_PER_ROUTE=20
  - REPOCLONER_READ_TIMEOUT_SEC=120
  - REPOCLONER_TARGET_DIR=/home/domino/repocloner
  - REPOCLONER_INTERNAL_GIT_HOST=http://git.domino-platform:80
  - REPOCLONER_ALLOW_PROJECT_SYMLINKS=false
  - REPOCLONER_IMAGE_DEFINITION_API_KEY=<redacted>
  # expects a secret domino-compute/foo with data bar
  context: https://github.com/dominodatalab/hephaestus/raw/51585793939ab0de611bea74ab14e29d846b2070/test/functional/testdata/docker-context/secrets/archive.tgz
  disableBuildCache: true
  disableCacheExport: true
  images:
  - 172.20.88.105:5000/dominodatalab/environment:649f7bbcbb2e9b737895a60d-33
  logKey: f66a-build-64a58393bb2e9b737895a66f
  registryAuth:
  - cloudProvided: false
    secret:
      name: domino-quay-repos
      namespace: domino-compute
    server: quay.io
  - cloudProvided: false
    secret:
      name: domino-registry
      namespace: domino-compute
    server: 172.20.88.105:5000
  secrets:
    - name: foo
      namespace: domino-compute

I was able to get it to read back / emit the secret

2023-07-06T00:41:02.937931111Z    INFO    controller.imagebuildmessage    Starting reconcile    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.937978812Z    INFO    controller.imagebuild    Starting reconcile    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.937988346Z    INFO    controller.imagebuildmessage    Reconciling component    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "component": "amqp-messenger"}
2023-07-06T00:41:02.938037387Z    INFO    controller.imagebuild    Reconciling component    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "component": "build-dispatcher"}
2023-07-06T00:41:02.938067806Z    INFO    controller.imagebuild.component.build-dispatcher    Transitioning status    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Initializing"}
2023-07-06T00:41:02.938124351Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Overriding target AMQP Queue    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "name": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:02.938146485Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Creating resource, ImageBuildMessage does not exist    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.950440594Z    INFO    controller.imagebuild.component.build-dispatcher    Processing references to build secrets    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.952991953Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Creating AMQP message publisher    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.955499445Z    INFO    controller.imagebuild.component.build-dispatcher    Reading secret    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "path": "domino-compute/foo"}
2023-07-06T00:41:02.955531777Z    INFO    controller.imagebuild.component.build-dispatcher    Taking ownership of secret    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "owner": "domino-ethan-64a58393bb2e9b737895a66f", "secret": "domino-compute/foo"}
2023-07-06T00:41:02.956311117Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutting down    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.956329821Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to connect to AMQP server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "amqp://hephaestus:xxxxx@rabbitmq-ha.domino-platform:5672"}
2023-07-06T00:41:02.958648419Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Connection established    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.958677761Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to open AMQP channel    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.9591612Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Channel opened    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.959661567Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutdown complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.9804434Z    INFO    controller.imagebuildmessage    Reconciliation complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.980567636Z    INFO    controller.imagebuildmessage    Starting reconcile    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.98060312Z    INFO    controller.imagebuildmessage    Reconciling component    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "component": "amqp-messenger"}
2023-07-06T00:41:02.980653189Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Overriding target AMQP Queue    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "name": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:02.980670683Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Creating AMQP message publisher    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.983755842Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Processing phase transition    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "from": "", "to": "Initializing"}
2023-07-06T00:41:02.983834398Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Publishing transition message    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.983842806Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to connect to AMQP server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "amqp://hephaestus:xxxxx@rabbitmq-ha.domino-platform:5672"}
2023-07-06T00:41:02.986097629Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Connection established    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.986122877Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to open AMQP channel    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:02.986625419Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Channel opened    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.000436139Z    INFO    controller.imagebuild.component.build-dispatcher    Read secret bytes    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "path": "domino-compute/foo/bar", "bytes": 15}
2023-07-06T00:41:03.000492485Z    INFO    controller.imagebuild.component.build-dispatcher    Processing and persisting registry credentials    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.024939954Z    INFO    controller.imagebuild.component.build-dispatcher    Validating registry credentials    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.114577571Z    INFO    controller.imagebuildmessage.component.amqp-messenger.simple-client    Sending message to server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "exchange": "", "queue": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:03.117781843Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Publish confirmed    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "deliveryTag": 1}
2023-07-06T00:41:03.117847223Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Updating sent AMQP messages status    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Initializing"}
2023-07-06T00:41:03.127819472Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutting down    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.128463875Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutdown complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.140273278Z    INFO    controller.imagebuildmessage    Reconciliation complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.140377356Z    INFO    controller.imagebuildmessage    Starting reconcile    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.140419427Z    INFO    controller.imagebuildmessage    Reconciling component    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "component": "amqp-messenger"}
2023-07-06T00:41:03.140459509Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Overriding target AMQP Queue    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "name": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:03.140477056Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Creating AMQP message publisher    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.143495272Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Transition has been processed, skipping    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Initializing"}
2023-07-06T00:41:03.14354607Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutting down    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.143526917Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to connect to AMQP server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "amqp://hephaestus:xxxxx@rabbitmq-ha.domino-platform:5672"}
2023-07-06T00:41:03.145846834Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Connection established    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.145887749Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to open AMQP channel    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.146453148Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Channel opened    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.146965797Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutdown complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:03.162008331Z    INFO    controller.imagebuildmessage    Reconciliation complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.140473189Z    INFO    controller.imagebuild.component.build-dispatcher    Leasing buildkit worker    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.140523006Z    INFO    controller.imagebuild.component.build-dispatcher    Leasing buildkit worker    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.14053653Z    INFO    buildkit.worker-pool    Enqueuing new pod request
2023-07-06T00:41:04.1405434Z    INFO    buildkit.worker-pool    Attempting to notify reconciliation
2023-07-06T00:41:04.140555888Z    INFO    buildkit.worker-pool    Reconciliation notification sent
2023-07-06T00:41:04.140572327Z    INFO    buildkit.worker-pool    Reconciling pool, notify triggered
2023-07-06T00:41:04.140617035Z    INFO    buildkit.worker-pool    Querying for available buildkit pods    {"namespace": "domino-compute", "opts": {"labelSelector":"app.kubernetes.io/component=buildkit,app.kubernetes.io/instance=hephaestus,app.kubernetes.io/name=hephaestus"}}
2023-07-06T00:41:04.15100974Z    INFO    buildkit.worker-pool    Evaluating pod metadata and status    {"podName": "hephaestus-buildkit-0"}
2023-07-06T00:41:04.155263384Z    INFO    buildkit.worker-pool    Pod is operational    {"podName": "hephaestus-buildkit-0"}
2023-07-06T00:41:04.15529468Z    INFO    buildkit.worker-pool    Processing dequeued pod request with operational pod
2023-07-06T00:41:04.155308346Z    INFO    buildkit.worker-pool    Attempting to lease pod    {"podName": "hephaestus-buildkit-0"}
2023-07-06T00:41:04.155927862Z    INFO    buildkit.worker-pool    Applying pod metadata changes    {"annotations": {"hephaestus.dominodatalab.com/leased-at":"2023-07-06T00:41:04Z","hephaestus.dominodatalab.com/leased-by":"domino-compute/domino-ethan-64a58393bb2e9b737895a66f","hephaestus.dominodatalab.com/manager-identity":"d9bda8af-994b-459e-af70-ee3e4cbf7167"}}
2023-07-06T00:41:04.180266637Z    INFO    buildkit.worker-pool    Building endpoint URL    {"podName": "hephaestus-buildkit-0"}
2023-07-06T00:41:04.180302061Z    INFO    buildkit.worker-pool    Watching endpoints for new pod address    {"podName": "hephaestus-buildkit-0"}
2023-07-06T00:41:04.184807878Z    INFO    buildkit.worker-pool    Found eligible endpoint address    {"hostname": "hephaestus-buildkit-0.hephaestus-buildkit.domino-compute"}
2023-07-06T00:41:04.184843571Z    INFO    buildkit.worker-pool    Finished watching endpoints    {"podName": "hephaestus-buildkit-0", "duration": "395.477µs"}
2023-07-06T00:41:04.184909272Z    INFO    buildkit.worker-pool    Pod successfully leased, passing address to request owner    {"podName": "hephaestus-buildkit-0"}
2023-07-06T00:41:04.184939936Z    INFO    buildkit.worker-pool    Pod scale determination complete    {"requests": 0, "podObservations": ["hephaestus-buildkit-0 - Leased"], "suggestedReplicas": 1}
2023-07-06T00:41:04.184955035Z    INFO    buildkit.worker-pool    Using statefulset scale    {"replicas": 1}
2023-07-06T00:41:04.185030019Z    INFO    controller.imagebuild.component.build-dispatcher    Building new buildkit client    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234"}
2023-07-06T00:41:04.185732491Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    Confirming buildkitd connectivity    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.204074382Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    Buildkitd connectivity established    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.204119699Z    INFO    controller.imagebuild.component.build-dispatcher    Dispatching image build    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "images": ["172.20.88.105:5000/dominodatalab/environment:649f7bbcbb2e9b737895a60d-33"]}
2023-07-06T00:41:04.204132981Z    INFO    controller.imagebuild.component.build-dispatcher    Transitioning status    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Running"}
2023-07-06T00:41:04.213943662Z    INFO    controller.imagebuildmessage    Starting reconcile    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.213998448Z    INFO    controller.imagebuildmessage    Reconciling component    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "component": "amqp-messenger"}
2023-07-06T00:41:04.214000542Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    Fetching remote context    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f", "url": "https://github.com/dominodatalab/hephaestus/raw/51585793939ab0de611bea74ab14e29d846b2070/test/functional/testdata/docker-context/secrets/archive.tgz"}
2023-07-06T00:41:04.214027969Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Overriding target AMQP Queue    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "name": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:04.214042227Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Creating AMQP message publisher    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.217811292Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Transition has been processed, skipping    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Initializing"}
2023-07-06T00:41:04.217843846Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Processing phase transition    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "from": "Initializing", "to": "Running"}
2023-07-06T00:41:04.217887531Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Publishing transition message    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.217879811Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to connect to AMQP server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "amqp://hephaestus:xxxxx@rabbitmq-ha.domino-platform:5672"}
2023-07-06T00:41:04.220362618Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Connection established    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.22038125Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to open AMQP channel    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.220842156Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Channel opened    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.333443514Z    INFO    controller.imagebuildmessage.component.amqp-messenger.simple-client    Sending message to server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "exchange": "", "queue": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:04.336671107Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Publish confirmed    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "deliveryTag": 1}
2023-07-06T00:41:04.336714891Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Updating sent AMQP messages status    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Running"}
2023-07-06T00:41:04.348034093Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutting down    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.348763875Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutdown complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.36442013Z    INFO    controller.imagebuildmessage    Reconciliation complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.364526409Z    INFO    controller.imagebuildmessage    Starting reconcile    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.364571657Z    INFO    controller.imagebuildmessage    Reconciling component    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "component": "amqp-messenger"}
2023-07-06T00:41:04.364617542Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Overriding target AMQP Queue    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "name": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:04.364634658Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Creating AMQP message publisher    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.367721518Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Transition has been processed, skipping    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Initializing"}
2023-07-06T00:41:04.367764826Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Transition has been processed, skipping    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Running"}
2023-07-06T00:41:04.367773897Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutting down    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.367779463Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to connect to AMQP server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "amqp://hephaestus:xxxxx@rabbitmq-ha.domino-platform:5672"}
2023-07-06T00:41:04.370481881Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Connection established    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.370511478Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to open AMQP channel    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.371067271Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Channel opened    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.371582795Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Shutdown complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.386407089Z    INFO    controller.imagebuildmessage    Reconciliation complete    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688630108Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #1 [internal] load build definition from Dockerfile
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.68872117Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #1 transferring dockerfile: 125B done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688738667Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #1 DONE 0.0s
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688747986Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688755813Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #2 [internal] load .dockerignore
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688766798Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #2 transferring context: 2B done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688785348Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #2 DONE 0.0s
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688795006Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:04.688800411Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #3 [internal] load metadata for docker.io/library/alpine:3.16
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121151607Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #3 DONE 0.5s
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121202981Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121211283Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #4 [stage-0 1/2] FROM docker.io/library/alpine:3.16@sha256:cbe5d5973103a2d03408d1689a6efde4ea4920bde9f4b51fe7872e60ce2d8e56
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121219482Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #4 resolve docker.io/library/alpine:3.16@sha256:cbe5d5973103a2d03408d1689a6efde4ea4920bde9f4b51fe7872e60ce2d8e56 0.0s done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121224905Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #4 CACHED
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121231676Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121241117Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #5 [stage-0 2/2] RUN --mount=type=secret,id=domino-compute/foo/bar cat /run/secrets/bar
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.121246679Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #0 0.094 test of foo.bar    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228096151Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit        {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228134862Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228148479Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #5 DONE 0.1s
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228156976Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228166255Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 exporting to image
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228181881Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 exporting layers 0.1s done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228190799Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 exporting manifest sha256:fa5df1f2111f2c7f66db0c426c11356b93b1cc9f44c3f105ef2d7ca49bc1dc32 0.0s done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.228203059Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 exporting config sha256:28f8205892fd6e0e33d7b1959137586d543711df6286b44f7cdc1f67cd42c0de
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.378903728Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 exporting config sha256:28f8205892fd6e0e33d7b1959137586d543711df6286b44f7cdc1f67cd42c0de 0.0s done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:05.378959676Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 pushing layers
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.182632418Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 pushing layers 1.8s done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.182679089Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 pushing manifest for 172.20.88.105:5000/dominodatalab/environment:649f7bbcbb2e9b737895a60d-33@sha256:fa5df1f2111f2c7f66db0c426c11356b93b1cc9f44c3f105ef2d7ca49bc1dc32
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.907170901Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    Solve complete    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.907226149Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 pushing manifest for 172.20.88.105:5000/dominodatalab/environment:649f7bbcbb2e9b737895a60d-33@sha256:fa5df1f2111f2c7f66db0c426c11356b93b1cc9f44c3f105ef2d7ca49bc1dc32 0.8s done
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.907241737Z    INFO    controller.imagebuild.component.build-dispatcher.buildkit    #6 DONE 2.7s
    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234", "logKey": "f66a-build-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.907497404Z    INFO    controller.imagebuild.component.build-dispatcher    Transitioning status    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Succeeded"}
2023-07-06T00:41:07.919076554Z    INFO    controller.imagebuildmessage    Starting reconcile    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.919137346Z    INFO    controller.imagebuildmessage    Reconciling component    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "component": "amqp-messenger"}
2023-07-06T00:41:07.919179048Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Overriding target AMQP Queue    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "name": "hephaestus.imagebuilds.status"}
2023-07-06T00:41:07.91919771Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Creating AMQP message publisher    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.920269533Z    INFO    controller.imagebuild.component.build-dispatcher    Releasing buildkit worker    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "endpoint": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234"}
2023-07-06T00:41:07.920300813Z    INFO    buildkit.worker-pool    Parsing lease addr    {"addr": "tcp://hephaestus-buildkit-0.hephaestus-buildkit.domino-compute:1234"}
2023-07-06T00:41:07.920313088Z    INFO    buildkit.worker-pool    Querying for pod    {"name": "hephaestus-buildkit-0", "namespace": "domino-compute"}
2023-07-06T00:41:07.922432162Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Transition has been processed, skipping    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Initializing"}
2023-07-06T00:41:07.922467454Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Transition has been processed, skipping    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "phase": "Running"}
2023-07-06T00:41:07.922475769Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Processing phase transition    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "from": "Running", "to": "Succeeded"}
2023-07-06T00:41:07.922510523Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to connect to AMQP server    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f", "addr": "amqp://hephaestus:xxxxx@rabbitmq-ha.domino-platform:5672"}
2023-07-06T00:41:07.922591905Z    INFO    controller.imagebuildmessage.component.amqp-messenger    Publishing transition message    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.924951346Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Connection established    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.924972375Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Attempting to open AMQP channel    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.92549404Z    INFO    controller.imagebuildmessage.component.amqp-messenger.connection-manager    Channel opened    {"imagebuildmessage": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.925604885Z    INFO    buildkit.worker-pool    Applying pod metadata changes    {"annotations": {"hephaestus.dominodatalab.com/expiry-time":"2023-07-06T00:51:07Z"}}
2023-07-06T00:41:07.943630266Z    INFO    buildkit.worker-pool    Attempting to notify reconciliation
2023-07-06T00:41:07.943670961Z    INFO    buildkit.worker-pool    Reconciliation notification sent
2023-07-06T00:41:07.943678024Z    INFO    controller.imagebuild.component.build-dispatcher    Buildkit worker released    {"imagebuild": "domino-compute/domino-ethan-64a58393bb2e9b737895a66f"}
2023-07-06T00:41:07.943685323Z    INFO    buildkit.worker-pool    Reconciling pool, notify triggered

@ddl-ebrown ddl-ebrown changed the title [DOM-47678] Add support for consuming secrets to Hephaestus [DOM-47678] Add support for passing buildkit secrets via k8s secrets Jun 30, 2023
@ddl-ebrown ddl-ebrown mentioned this pull request Jun 30, 2023
Closed
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch 3 times, most recently from 030ab96 to 63d5ec5 Compare June 30, 2023 17:30
@ddl-ebrown
Copy link
Contributor Author

ddl-ebrown commented Jun 30, 2023
edited
Loading

I think we've got an existing bad test / race condition or something here... running tests locally, the failing test passes - but it keeps popping up in CI via combo_grow_pending_with_requests

I've seen different random fails that all appear to be in TestPoolPodReconciliation somewhere... definitely buggy tests

@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch 7 times, most recently from cfdf3b3 to 36a7546 Compare July 3, 2023 19:11
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch 2 times, most recently from ad607c2 to 4d4b346 Compare July 4, 2023 00:01
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch 4 times, most recently from 038d060 to a9ee412 Compare July 5, 2023 17:39
@ddl-ebrown ddl-ebrown marked this pull request as ready for review July 5, 2023 18:05
@ddl-ebrown ddl-ebrown requested a review from steved as a code owner July 5, 2023 18:05
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch from a9ee412 to 8c3c884 Compare July 5, 2023 20:20
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch from 8c3c884 to 53d15a0 Compare July 5, 2023 21:39
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch from 53d15a0 to 818ac96 Compare July 5, 2023 21:44
ddl-ryan-connor
ddl-ryan-connor approved these changes Jul 5, 2023
View reviewed changes
Copy link

@ddl-ryan-connor ddl-ryan-connor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, i think you need an approval from a codeowner though

Secretions
Secretions approved these changes Jul 5, 2023
View reviewed changes
Copy link
Collaborator

@Secretions Secretions left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still pretty naive to heph, but everything here lgtm.

pkg/controller/support/secrets/secrets.go Outdated Show resolved Hide resolved
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch 2 times, most recently from 772b603 to 5158579 Compare July 5, 2023 23:13
@ddl-ebrown
Copy link
Contributor Author

ddl-ebrown commented Jul 6, 2023
edited by github-actions bot
Loading

/functional-test


Launched workflow: Functional tests

@ddl-ebrown ddl-ebrown marked this pull request as draft July 6, 2023 00:22
@ddl-ebrown
Add secrets support to ImageBuild CR
01ab710 
 - Adds the ability to pass k8s secret names by namespace / name to be
   consumed by the ImageBuild request using buildkit secrets. The
   `secrets` field is added to the CR as optional, and is fully
   backwards compatible with previous requests.

   Previously, the Helm chart supported exposing service level secrets
   into *all* builds, but this adds supports on a per request basis.

   Buildkit secrets must be mounted in via Dockerfile syntax:
   https://docs.docker.com/engine/reference/builder/#run---mounttypesecret

   Consumption via Dockerfile is therefore similar to:

   RUN --mount=type=secret,id=domino-compute/mysecret/foo cat /run/secrets/foo

 - For the secret to be accessible by Hephaestus, it must have the
   label `hephaestus-accessible: "true"`. This prevents the build
   service from having access to arbitrary secrets in the cluster and
   requires clients to specifically opt-in.

 - Additionally the `hephaestus-owned: "true"` label can be added to
   secrets to help manage their lifecycle. When set, the secret will be
   updated to specify the attached ImageBuild as the owner -- when
   ImageBuild resources are routinely purged by the service, those
   secrets will be cleaned up at the same time. This removes the burden
   of secret cleanup from clients, but changes the cleanup timing to be
   non-determinstic.

   The ClusterRole for Hephaestus is updated to allow for secret
   resource updates to support this feature.
@ddl-ebrown ddl-ebrown force-pushed the DOM-47678-add-secrets-to-CR branch from aa0a66b to 01ab710 Compare July 6, 2023 00:24
@ddl-ebrown
Copy link
Contributor Author

Removed addition of functional tests for now since the machinery for that is currently totally broken: cc @steved

Will try to get those working and do a follow-on PR, but I'm running short on time.

@ddl-ebrown ddl-ebrown marked this pull request as ready for review July 6, 2023 00:43
@ddl-ebrown ddl-ebrown merged commit a927281 into main Jul 6, 2023
@ddl-ebrown ddl-ebrown deleted the DOM-47678-add-secrets-to-CR branch July 6, 2023 00:44
@ddl-ebrown
Copy link
Contributor Author

Going to try to fix the tests in #108

@ddl-ebrown ddl-ebrown mentioned this pull request Jul 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ddl-ryan-connor ddl-ryan-connor ddl-ryan-connor approved these changes

@Secretions Secretions Secretions approved these changes

@steved steved Awaiting requested review from steved

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ddl-ebrown @Secretions @ddl-ryan-connor