Expand build argument from environment when no value specified #993
Conversation
|
@cvgw As promised... Do I need to add integration test? |
|
Thank you so much for your contribution! |
There was a problem hiding this comment.
I'm not sure this addresses the primary use case which is secrets
won't docker -e SOME_SECRET=secret-value run .... output the value of the secret to the log/shell history?
I think we need a solution that won't be logged out. We also need to audit the logs in kaniko and make sure this value will never be logged. Infact, we should probably write an integration tests that checks the logs to make sure a known secret value is never logged
At least that part can be solved via a .env file. I.e. with Granted, that file would need to be written to disk first, but this is a common way to pass along environment variables without exposing them via the command line. |
antechrestos
force-pushed
the
feature/expand_build_args_with_environment_variable
branch
3 times, most recently
from
18e8efb
to
c82a14b
Compare
|
@tejal29 you're welcome |
antechrestos
force-pushed
the
feature/expand_build_args_with_environment_variable
branch
from
c82a14b
to
a569d5c
Compare
| @@ -206,6 +207,17 @@ func resolveDockerfilePath() error { | |||
| return errors.New("please provide a valid path to a Dockerfile within the build context with --dockerfile") | |||
| } | |||
|
|
|||
| // resolveEnvironmentBuildArgs replace build args without value by the same named environment variable | |||
| func resolveEnvironmentBuildArgs(arguments []string, resolver func(string) string) { | |||
There was a problem hiding this comment.
So this will take an argument like FOO and replace it with FOO=FOO ?
There was a problem hiding this comment.
@cvgw this will take the argument array such as [ "foo=bar", "EnvVariable" ] crawl through it and replace any argument without = with "EnvVariable=EnvValue" if a value was returned by resolver function (os.Getenv in prod code, mocked function in tests). If zero length value returned, it will be replaced with "EnvVariable="
There was a problem hiding this comment.
Thanks for explaining, cheers
|
|
||
| // Checks if argument are not printed in output. | ||
| // Argument may be passed through --build-arg key=value manner or --build-arg key with key in environment | ||
| func checkArgsNotPrinted(dockerfile string, out []byte) error { |
There was a problem hiding this comment.
So this checks to make sure the value of none of the build args are logged? It makes no distinction between whether they were added as literals or expanded from the env?
There was a problem hiding this comment.
@cvgw I could have make the distinction in the test, however I could not find any way to make the distinction in the code as env like variable (env, arg and meta arg ) are used everywhere as a mere string key=value and could not make the distinction without breaking everything.
Do you want I change the test? Or everything?
There was a problem hiding this comment.
No changes needed. Was just clarifying for my owner understanding. I think it's reasonable to not log any ARG values.
| @@ -206,6 +207,17 @@ func resolveDockerfilePath() error { | |||
| return errors.New("please provide a valid path to a Dockerfile within the build context with --dockerfile") | |||
| } | |||
|
|
|||
| // resolveEnvironmentBuildArgs replace build args without value by the same named environment variable | |||
| func resolveEnvironmentBuildArgs(arguments []string, resolver func(string) string) { | |||
There was a problem hiding this comment.
@cvgw this will take the argument array such as [ "foo=bar", "EnvVariable" ] crawl through it and replace any argument without = with "EnvVariable=EnvValue" if a value was returned by resolver function (os.Getenv in prod code, mocked function in tests). If zero length value returned, it will be replaced with "EnvVariable="
| @@ -206,6 +207,17 @@ func resolveDockerfilePath() error { | |||
| return errors.New("please provide a valid path to a Dockerfile within the build context with --dockerfile") | |||
| } | |||
|
|
|||
| // resolveEnvironmentBuildArgs replace build args without value by the same named environment variable | |||
| func resolveEnvironmentBuildArgs(arguments []string, resolver func(string) string) { | |||
There was a problem hiding this comment.
Thanks for explaining, cheers
|
@cvgw something went wrong with kaniko. However, things went well in Travis 🤔... What went wrong? |
|
@antechrestos i triggered a rebuilt. Previous failure was a flake. |
|
@tejal29 thanks |
antechrestos
force-pushed
the
feature/expand_build_args_with_environment_variable
branch
from
a569d5c
to
c97c906
Compare
|
@tejal29 I have rebased my branch. I am not sure it might change anything 🤔 |
antechrestos
force-pushed
the
feature/expand_build_args_with_environment_variable
branch
from
c97c906
to
2f1e54e
Compare
|
@antechrestos The travis test passed, so i am going to merge this in! |
|
@tejal29 at our own risk 😊 |
antechrestos
deleted the
feature/expand_build_args_with_environment_variable
branch
|
THANK YOU! ❤️ |
|
Thanks this is so helpful (albeit undocumented) feature |
Fixes #713
Description
This change adds the feature of getting value of build argument from environment when build argument is specified as follows
/kaniko/executor .... --build-arg MY_ARGUMENT ...Submitter Checklist
Reviewer Notes
Release Notes