faas-cli icon indicating copy to clipboard operation
faas-cli copied to clipboard
verified publisher icon openfaas

Add support for --secret option for buildkit support.

Open ehengao opened this issue 5 years ago • 3 comments

Signed-off-by: Heng GAO [email protected]

Description

I add a flag in the build command called --buildkit-secret to support one of the docker buildkit option described in here: https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information

The reason for this change is because i have this function depends on a private pypi repository which require senstive access information. To avoid put my credentials into the images, i decided to make this change to take the benifit of using docker buildkit to protect my secrets.

The flag added to the --buildkit-secret is same as the docker build --secret, i have successfully built this change and applied it locally to create a image using following command:

DOCKER_BUILDKIT=1 faas-cli build --no-cache --buildkit-secret id=netrc,src=${HOME}/.netrc -f hello.yml

And in my dockerfile, i need to specify following changes to make this work:

# syntax = docker/dockerfile:1.0-experimental
FROM openfaas/of-watchdog:0.7.2 as watchdog
FROM python:3.8-slim

...

RUN --mount=type=secret,id=netrc,dst=/root/.netrc pip install -r requirements.txt --extra-index-url ${EXTRA_INDEX_URL}

Motivation and Context

This change is required because user's function might have dependencies that hosted on private pypi or gitlab, this change will help user to built their functions more securely.

  • [x] I have raised an issue to propose this change (required) Resolves: https://github.com/openfaas/faas-cli/issues/785

How Has This Been Tested?

New testing option added in the Test_buildFlagSlice to verify that the buildFlagSlice function can create the docker command flag correctly, and add a new testing function to make sure the docker command can be generated correctly.

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • [x] My code follows the code style of this project.
  • [ ] My change requires a change to the documentation.
  • [ ] I have updated the documentation accordingly.
  • [x] I've read the CONTRIBUTION guide
  • [x] I have signed-off my commits with git commit -s
  • [x] I have added tests to cover my changes.
  • [x] All new and existing tests passed.

ehengao avatar Mar 24 '20 00:03 ehengao

@ehengao i am not sure we are ready to merge this yet because we want to consider if there is a generic way to support a wider range of flags. Take a look at https://github.com/openfaas/faas-cli/issues/785#issuecomment-606761803 and let us know what you think. Thanks

LucasRoesler avatar Apr 04 '20 12:04 LucasRoesler

@LucasRoesler Any news or other plans to support the new Docker BuildKit?

talhof8 avatar Oct 15 '20 07:10 talhof8

@talhof8 the design conversation is in https://github.com/openfaas/faas-cli/issues/785 and we need to get @alexellis to approve

LucasRoesler avatar Oct 15 '20 07:10 LucasRoesler

We have gone for a simpler approach, and are validating it with OpenFaaS Pro customers.

Should anyone want to try this out, please contact us via the usual channels for customers.

alexellis avatar Oct 18 '22 11:10 alexellis

/lock: resolved

alexellis avatar Oct 18 '22 11:10 alexellis