Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat(envbuilder.go): add support for build secrets#391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
SasSwart merged 16 commits intomainfromjjs/buildsecrets
Oct 29, 2024

Conversation

SasSwart
Copy link
Contributor

@SasSwartSasSwart commentedOct 16, 2024
edited
Loading

This PR adopts support for build secrets from our recent updates to Kaniko to provide a safer alternative to this:#93

@SasSwartSasSwart changed the titlechore(envbuilder.go): prove the concept of build secret endschore(envbuilder.go): prove the concept of build secret envsOct 16, 2024
Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This is somewhat different from what I had in mind, and seems to cross more into the direction of#366

The idea is that we want these secrets to be available during the container build process only. As far as I can tell, this persists them to disk inside Kaniko's working directoryl.

What do you think about the following approach:

  • Fetch all environment variables with the prefixENVBUILDER_SECRET and store them in a map or similar
  • Before building the image using Kaniko, set all the environment variables from above withoutENVBUILDER_SECRET prefix.
  • After building the image and just before exec'ing the init command, unset all of the above environment variables.

If the prefixENVBUILDER_SECRET_ is misleading, we can rename it to something else also.

@SasSwart
Copy link
ContributorAuthor

Before building the image using Kaniko, set all the environment variables from above without ENVBUILDER_SECRET prefix.

I did attempt this, but wasn't able to get it to work. each RUN directive starts with a mostly blank environment as far as I can tell. I will revisit this approach though. Perhaps I can get it to work upon closer inspection.

Out of interest, why do you prefer the ENV approach as opposed to persisting them to disk?

@johnstcn
Copy link
Member

johnstcn commentedOct 17, 2024
edited
Loading

Out of interest, why do you prefer the ENV approach as opposed to persisting them to disk?

I actually don't have a good answer to this apart from 'environment variables are easy and it seems to be the method of least surprise'.

However, I can see some folks being wary of passing build-time secrets via environment variable, as someone with access to either the container spec or some 'back-door' into the container (e.g. viakubectl exec) would then potentially end up being able to read the env var.

EDIT: a use case that appears to be common is mounting secrets inside the container with ownershiproot:root and permission0400 so that a resulting non-root user inside the container is unable to read the secret.

@SasSwart
Copy link
ContributorAuthor

@johnstcn The updated PR should demonstrate a more flexible approach in line with docker standards. The user can now choose whether they want an ENV, or a file. They can also specify where that file should be.

johnstcn reacted with thumbs up emoji

Copy link
ContributorAuthor

@SasSwartSasSwart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Self Review:

@SasSwartSasSwart changed the titlechore(envbuilder.go): prove the concept of build secret envsfeat(envbuilder.go): add support for build secretsOct 24, 2024
@SasSwartSasSwart marked this pull request as ready for reviewOctober 25, 2024 08:40
@SasSwartSasSwart self-assigned thisOct 25, 2024
Copy link
Member

@mafredrimafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

In general the implementation looks good, had some minor suggestions. Tests need a bit more work though.

@SasSwart
Copy link
ContributorAuthor

@mafredri I've tended to all review notes. Thanks for all the feedback, it was useful!
Tests should be in a much better space now. Please have another look?

mafredri reacted with thumbs up emoji

Copy link
Member

@mafredrimafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

A few minor nits but otherwise looking good. 👍🏻

@SasSwartSasSwart merged commit416acc6 intomainOct 29, 2024
4 checks passed
@SasSwartSasSwart deleted the jjs/buildsecrets branchOctober 29, 2024 08:02
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@mafredrimafredrimafredri approved these changes

@johnstcnjohnstcnjohnstcn left review comments

Assignees

@SasSwartSasSwart

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@SasSwart@johnstcn@mafredri
[8]ページ先頭
©2009-2025 Movatter.jp