Bind secrets to their playbooks Secrets are proving less useful than originally hoped because they can not be effectively used in any jobs with untrusted children. This change binds the secrets to the playbooks which use them, so that child jobs are unable to access the secrets. This allows us to create jobs with pre/post playbooks which use secrets which are suitable for other jobs to inherit from. Change-Id: I67dd12563f3abd242d6356675afed1de0cb144cf

commit: 892cca6afa7c29757922b6ad584fcfe984cad3e3 [log] [tgz]
author: James E. Blair <jeblair@redhat.com> Wed Aug 09 11:36:58 2017 -0700
committer: James E. Blair <jeblair@redhat.com> Thu Aug 10 09:13:46 2017 -0700
tree: c9f18ca8620b5635c835012616e89cf48d25af3e
parent: ad966ccc46bcceb9c1c29da972b14dd6967ff6a4 [diff] [blame]
diff --git a/doc/source/user/jobs.rst b/doc/source/user/jobs.rst
index 7f1c3cb..5f36c30 100644
--- a/doc/source/user/jobs.rst
+++ b/doc/source/user/jobs.rst

@@ -121,6 +121,9 @@
 
  {{ credentials.username }} {{ credentials.password }}
 
+Secrets are only available to playbooks associated with the job
+definition which uses the secret; they are not available to playbooks
+associated with child jobs or job variants.
 
 Zuul Variables
 ~~~~~~~~~~~~~~
commit	892cca6afa7c29757922b6ad584fcfe984cad3e3	[log] [tgz]
author	James E. Blair <jeblair@redhat.com>	Wed Aug 09 11:36:58 2017 -0700
committer	James E. Blair <jeblair@redhat.com>	Thu Aug 10 09:13:46 2017 -0700
tree	c9f18ca8620b5635c835012616e89cf48d25af3e
parent	ad966ccc46bcceb9c1c29da972b14dd6967ff6a4 [diff] [blame]