PB-851 part 1: use Buildkite Secret in favor of K8s Secret#754
Merged
Conversation
zhming0
force-pushed
the
ming/pb-851-part-1
branch
4 times, most recently
from
7cd29d5 to
bd40b42
Compare
moskyb
requested changes
Oct 23, 2025
Comment on lines
162
to
164
| // The buildkite token is required, but it is set from a Kubernetes secret, not the config file, | ||
| // which is itself set from a config map that is used to create env variables in the controller | ||
| // container. As this is required, we set it here to avoid the validation error. |
Contributor
There was a problem hiding this comment.
This comment is a lie now, right? It's set from a buildkite secret during the deploy process
Contributor
Author
There was a problem hiding this comment.
This comment is confusing, I removed it and reworked this bit of code.
| "name of the Buildkite agent token secret", | ||
| ) | ||
| cmd.Flags().String("buildkite-token", "", "Deprecated - Buildkite API token with GraphQL scopes") | ||
| cmd.Flags().String("integration-test-buildkite-token", "", "Deprecated - Buildkite API token with GraphQL scopes") |
Contributor
There was a problem hiding this comment.
i think now that we're only using the graphQL token in tests, we should remove it from the stack entirely and pass it to the tests by environment variable or similar — its presence in the stack configuration is only going to confuse people
Contributor
Author
There was a problem hiding this comment.
Totally agree, but that's probably out-of-scope for this PR.
swaller-bk
reviewed
Oct 23, 2025
zhming0
force-pushed
the
ming/pb-851-part-1
branch
from
bd40b42 to
1953d11
Compare
zhming0
force-pushed
the
ming/pb-851-part-1
branch
from
1953d11 to
dcf870a
Compare
moskyb
approved these changes
Oct 24, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR replaces all k8s secret reference to Buildkite secrets with proper access policy.
Note, because current Buildkite Secret restrict BUILDKITE_** env var names, I had to rename some env var names.