Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand build argument from environment when no value specified #993

Merged
merged 1 commit into from
Jan 31, 2020
Merged

Expand build argument from environment when no value specified #993

merged 1 commit into from
Jan 31, 2020

Conversation

antechrestos
Copy link
Contributor

@antechrestos antechrestos commented Jan 23, 2020
edited by tejal29
Loading

Fixes #713

Description

This change adds the feature of getting value of build argument from environment when build argument is specified as follows

/kaniko/executor .... --build-arg MY_ARGUMENT ...

Submitter Checklist

  • Includes unit tests
  • Adds integration tests if needed.

Reviewer Notes

  • The code flow looks good.
  • Unit tests and or integration tests added.

Release Notes

Allow user to provide build argument from environment variable as follows:
$> export MY_ARGUMENT="the value"
$> /kaniko/executor ... --build-arg MY_ARGUMENT ...
Or
$> docker run -e MY_ARGUMENT="the value" gcr.io/kaniko-project/executor ... --build-arg MY_ARGUMENT ...

@googlebot googlebot added the cla: yes CLA signed by all commit authors label Jan 23, 2020
@antechrestos
Copy link
Contributor Author

@cvgw As promised... Do I need to add integration test?

@tejal29
Copy link
Contributor

tejal29 commented Jan 24, 2020

Thank you so much for your contribution!

cvgw
cvgw suggested changes Jan 25, 2020
View reviewed changes
Copy link
Contributor

@cvgw cvgw left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this addresses the primary use case which is secrets

won't docker -e SOME_SECRET=secret-value run .... output the value of the secret to the log/shell history?

I think we need a solution that won't be logged out. We also need to audit the logs in kaniko and make sure this value will never be logged. Infact, we should probably write an integration tests that checks the logs to make sure a known secret value is never logged

@stewi2
Copy link

stewi2 commented Jan 25, 2020

won't docker -e SOME_SECRET=secret-value run .... output the value of the secret to the log/shell history?

At least that part can be solved via a .env file. I.e.

docker --env-file .secrets run ....

with .secrets containing this:

SOME_SECRET=secret-value

Granted, that file would need to be written to disk first, but this is a common way to pass along environment variables without exposing them via the command line.

@antechrestos antechrestos requested a review from cvgw January 25, 2020 22:04
@antechrestos
Copy link
Contributor Author

@tejal29 you're welcome
@cvgw I added it. To do so I added a new dedicated dockerfile. I also added a way to pass environment variable to build (with cmd.Env for docker build and -e for kaniko build as kaniko build is done inside docker) and also tested the expansion of docker variable.
For this test a check of output is provided te do a research on argument value and ensure that it is not printed.

cvgw
cvgw reviewed Jan 27, 2020
View reviewed changes
cmd/executor/cmd/root.go
@@ -206,6 +207,17 @@ func resolveDockerfilePath() error {
return errors.New("please provide a valid path to a Dockerfile within the build context with --dockerfile")
}

// resolveEnvironmentBuildArgs replace build args without value by the same named environment variable
func resolveEnvironmentBuildArgs(arguments []string, resolver func(string) string) {
Copy link
Contributor

@cvgw cvgw Jan 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this will take an argument like FOO and replace it with FOO=FOO ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cvgw this will take the argument array such as [ "foo=bar", "EnvVariable" ] crawl through it and replace any argument without = with "EnvVariable=EnvValue" if a value was returned by resolver function (os.Getenv in prod code, mocked function in tests). If zero length value returned, it will be replaced with "EnvVariable="

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for explaining, cheers

cvgw
cvgw reviewed Jan 27, 2020
View reviewed changes
integration/images.go

// Checks if argument are not printed in output.
// Argument may be passed through --build-arg key=value manner or --build-arg key with key in environment
func checkArgsNotPrinted(dockerfile string, out []byte) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this checks to make sure the value of none of the build args are logged? It makes no distinction between whether they were added as literals or expanded from the env?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cvgw I could have make the distinction in the test, however I could not find any way to make the distinction in the code as env like variable (env, arg and meta arg ) are used everywhere as a mere string key=value and could not make the distinction without breaking everything.
Do you want I change the test? Or everything?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No changes needed. Was just clarifying for my owner understanding. I think it's reasonable to not log any ARG values.

cvgw
cvgw reviewed Jan 27, 2020
View reviewed changes
Copy link
Contributor

@cvgw cvgw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really nice, just a couple questions

antechrestos
antechrestos commented Jan 27, 2020
View reviewed changes
Copy link
Contributor Author

@antechrestos antechrestos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cvgw Thank you for the feed back. I answered .

cmd/executor/cmd/root.go
@@ -206,6 +207,17 @@ func resolveDockerfilePath() error {
return errors.New("please provide a valid path to a Dockerfile within the build context with --dockerfile")
}

// resolveEnvironmentBuildArgs replace build args without value by the same named environment variable
func resolveEnvironmentBuildArgs(arguments []string, resolver func(string) string) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cvgw this will take the argument array such as [ "foo=bar", "EnvVariable" ] crawl through it and replace any argument without = with "EnvVariable=EnvValue" if a value was returned by resolver function (os.Getenv in prod code, mocked function in tests). If zero length value returned, it will be replaced with "EnvVariable="

cvgw
cvgw approved these changes Jan 27, 2020
View reviewed changes
cmd/executor/cmd/root.go
@@ -206,6 +207,17 @@ func resolveDockerfilePath() error {
return errors.New("please provide a valid path to a Dockerfile within the build context with --dockerfile")
}

// resolveEnvironmentBuildArgs replace build args without value by the same named environment variable
func resolveEnvironmentBuildArgs(arguments []string, resolver func(string) string) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for explaining, cheers

@antechrestos
Copy link
Contributor Author

antechrestos commented Jan 28, 2020
edited
Loading

@cvgw something went wrong with kaniko. However, things went well in Travis 🤔... What went wrong?

@tejal29
Copy link
Contributor

tejal29 commented Jan 28, 2020

@antechrestos i triggered a rebuilt. Previous failure was a flake.

@antechrestos
Copy link
Contributor Author

@tejal29 thanks

@antechrestos
Copy link
Contributor Author

@tejal29 I have rebased my branch. I am not sure it might change anything 🤔

@antechrestos
Copy link
Contributor Author

@cvgw @tejal29 may I have another try with kokoro? 🙏

@tejal29
Copy link
Contributor

tejal29 commented Jan 31, 2020

@antechrestos The travis test passed, so i am going to merge this in!

@tejal29 tejal29 merged commit de4b734 into GoogleContainerTools:master Jan 31, 2020
@antechrestos
Copy link
Contributor Author

@tejal29 at our own risk 😊

@antechrestos antechrestos deleted the feature/expand_build_args_with_environment_variable branch January 31, 2020 20:04
@sourcec0de
Copy link

THANK YOU! ❤️

@nhed
Copy link

nhed commented Feb 9, 2023

Thanks this is so helpful (albeit undocumented) feature

@iqbalaydrus iqbalaydrus mentioned this pull request May 24, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cvgw cvgw cvgw approved these changes

@tejal29 tejal29 tejal29 approved these changes

Assignees
No one assigned
Labels
candidate-release cla: yes CLA signed by all commit authors
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kaniko's --build-arg accepts only literal values
8 participants
@antechrestos @tejal29 @stewi2 @sourcec0de @nhed @cvgw @googlebot @kokoro-team