Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blank build args are handled incorrectly #1023

Closed
jmeickle opened this issue Jul 24, 2019 · 4 comments · Fixed by #1026
Closed

Blank build args are handled incorrectly #1023

jmeickle opened this issue Jul 24, 2019 · 4 comments · Fixed by #1026
Labels
bug
Milestone
0.10.3

Comments

@jmeickle
Copy link

Bug

Current Behavior

Setting a non-valued build arg like this:

buildArgs:
  CONTAINER: ${modules.base.outputs.local-image-name}
  TAG: ${modules.base.version}
  # this gets pulled from an env var
  CHECKOUT_KEY:

Or explicitly, like this:

buildArgs:
  CONTAINER: ${modules.base.outputs.local-image-name}
  TAG: ${modules.base.version}
  # this gets pulled from an env var
  CHECKOUT_KEY: !!null

results in a Docker command incorrectly emitting "null" as a string like this:

docker build -t snapshot:v-69e99e5246 --build-arg CONTAINER=base --build-arg TAG=v-dac401d9dd --build-arg CHECKOUT_KEY=null /Users/eronarn/Code/investment_automation/.garden/build/snapshot

Expected behavior

The expected Docker command is instead:

docker build -t snapshot:v-69e99e5246 --build-arg CONTAINER=base --build-arg TAG=v-dac401d9dd --build-arg CHECKOUT_KEY /Users/eronarn/Code/investment_automation/.garden/build/snapshot

This is special syntax in Docker builds: https://docs.docker.com/engine/reference/commandline/build/

You may also use the --build-arg flag without a value, in which case the value from the local environment will be propagated into the Docker container being built:

Your environment

[eronarn@Jamess-MacBook-Pro investment_automation]$ garden version
0.10.2
@edvald edvald added the bug label Jul 24, 2019
@edvald edvald added this to the 0.10.3 milestone Jul 24, 2019
@edvald
Copy link
Collaborator

edvald commented Jul 24, 2019

Thanks @Eronarn! That looks like an easy fix, we'll get on it.

@baspetersdotjpeg baspetersdotjpeg mentioned this issue Jul 24, 2019
Merged
@jmeickle
Copy link
Author

Also some extra context, CHECKOUT_KEY: ${local.env.CHECKOUT_KEY} does "work", but implements slightly different behavior than this request. For example, in that case, the secret value (the checkout key) is visible in a ps as a command line flag.

Generally though, using the Docker build args system for secret management is less ideal. It'd be great to see some documentation on if there's any patterns for build-time secrets in Garden; or if buildkit-based secrets are on the roadmap.

@edvald
Copy link
Collaborator

edvald commented Jul 24, 2019

Yeah that makes sense. The BuildKit stuff going stable is generally what we've been holding out for. It's been opt-in for a while so we've hesitated to build around it, but we'll be happy to support BuildKit secrets.

Incidentally, just noticed that Docker 19.03 is out. BuildKit still appears to be opt-in, but it's worth checking in on it again.

@jmeickle
Copy link
Author

We've been following Buildkit on our end for quite some time. For us the blocker for adopting Buildkit is not the opt-in nature, but specifically the lack of support for layer caching use cases and the inability to push Buildkit caches to AWS ECR:

moby/buildkit#699 (comment)

moby/buildkit#723 (comment)

moby/moby#39003

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
0.10.3
Development

Successfully merging a pull request may close this issue.

fix: handle blank build args appropriately garden-io/garden
2 participants
@edvald @jmeickle