chore(envbuilder.go): prove the concept of build secret envs #391
Conversation
SasSwart
changed the title
There was a problem hiding this comment.
This is somewhat different from what I had in mind, and seems to cross more into the direction of #366
The idea is that we want these secrets to be available during the container build process only. As far as I can tell, this persists them to disk inside Kaniko's working directoryl.
What do you think about the following approach:
- Fetch all environment variables with the prefix
ENVBUILDER_SECRETand store them in a map or similar - Before building the image using Kaniko, set all the environment variables from above without
ENVBUILDER_SECRETprefix. - After building the image and just before exec'ing the init command, unset all of the above environment variables.
If the prefix ENVBUILDER_SECRET_ is misleading, we can rename it to something else also.
I did attempt this, but wasn't able to get it to work. each RUN directive starts with a mostly blank environment as far as I can tell. I will revisit this approach though. Perhaps I can get it to work upon closer inspection. Out of interest, why do you prefer the ENV approach as opposed to persisting them to disk? |
I actually don't have a good answer to this apart from 'environment variables are easy and it seems to be the method of least surprise'. However, I can see some folks being wary of passing build-time secrets via environment variable, as someone with access to either the container spec or some 'back-door' into the container (e.g. via EDIT: a use case that appears to be common is mounting secrets inside the container with ownership |
|
@johnstcn The updated PR should demonstrate a more flexible approach in line with docker standards. The user can now choose whether they want an ENV, or a file. They can also specify where that file should be. |
This PR proves the concept of build secret environment variables as a safer alternative to #93