18:29 <razrdog[m]> hi there,... (full message at <https://libera.ems.host/_matrix/media/v3/download/libera.chat/4aab2df38ccf222a31fe629d8f160259bb28146f>)

18:31 <razrdog[m]> in the build master I have:... (full message at <https://libera.ems.host/_matrix/media/v3/download/libera.chat/120dc87b807ad0c2358c5fa7bd1fb3213baa0706>)

18:34 <razrdog[m]> and the file /opt/buildbot/secrets/buildbot-ssh-key does exist with 0600 file permissions and contains a deploy key configured in gitlab

20:05 <glogan> Owned by the same uid as the buildbot master?

20:15 <razrdog[m]> no the worker is a container running in kubernetes, the master is running on a VM.

20:16 <razrdog[m]> would file permissions be copied as part of it getting the key from master?

20:16 <glogan> No, but the master would need to be able to read the file

20:16 <razrdog[m]> I think I missunderstood. yes the file is owned by the same uid as buildmaster

20:17 <glogan> My ansibleized docker version https://github.com/opencast/opencast-project-infrastructure/blob/master/ansible-buildbot-cluster/roles/buildbot-config/templates/master.cfg#L367

20:17 <razrdog[m]> everything is running as user buildbot and i've ensured /opt/buildbot/** are owned by buildbot:buildbot

20:18 <glogan> Is the dir name being passed t on the secret provider the correct directory *inside* the container?

20:18 <glogan> That bit me for a while

20:18 <glogan> Since my containers are based o the upstream container

20:21 <razrdog[m]> I think that makes sense. so if my secrets on buildmaster are /opt/buildbot/secrets/ then i need to ensure that build worker is running in /opt/buildbot/ as well?

20:22 <razrdog[m]> my container is also based on upstream, this is my first time using a containerized worker so i'm guessing i'll have a few things to figure out

20:25 <glogan> https://github.com/opencast/opencast-project-infrastructure/blob/master/ansible-buildbot-cluster/roles/buildbot-config/templates/ansible.py#L220 is how I get my ssh keys to my workers

20:25 <glogan> Which are also containers

20:42 <razrdog[m]> <glogan> "https://github.com/opencast/..."; <- I'm reading through this now, thank you for the resources.

20:45 <razrdog[m]> after what you said about matching directories I tested just echoing a secret with shellcommand and that is also an issue on the container, while secrets work fine on non containerized workers.

20:45 <razrdog[m]> I'll report back what i figure out

20:47 <glogan> Yeah that sounds like a path issue to me.

20:47 <glogan> The upstream container's default root is... /builder I think?

20:48 <glogan> As long as you're mounting /opt/whatever to the exact same place inside the container it should work, but the uids might not match. If you don't mount it to the same place then it's probably paths.

21:33 <razrdog[m]> you were dead on! I've moved my build master to /builbot to match the worker container and I can now pass secrets

21:34 <glogan> Yay!

23:39 <razrdog[m]> Now that the secrets can be read I am getting another issue about the ssh key formatting. It seems to be the same issue marked here https://github.com/buildbot/buildbot/issues/5264 has anyone in here used or come across this? my secrets config does not contain the strip=True mentioned in the issue.