Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bake: cache-from/cache-to options no longer print sensitive values #2833

Closed

Conversation

jsternberg
Copy link
Collaborator

@jsternberg jsternberg commented Dec 2, 2024

This refactors how the cache-from/cache-to composable attributes work so they no longer print sensitive values that are automatically added.

This also expands the available syntax that works with the cache options. It is now possible to interleave the csv syntax with the object syntax without any problems. The canonical form is still the object syntax and variables are resolved according to that syntax.

cache-from and cache-to now correctly ignore empty string inputs so these can be used with variables.

Fixes #2823.

Partial fix for #2822.

bake/hcl_test.go Outdated
@@ -674,7 +674,7 @@ func TestHCLAttrsCapsuleTypeVars(t *testing.T) {
output = [ "type=oci,dest=../${foo}.tar" ]

secret = [
{ id = target.app.output[0].type, src = "/local/secret" },
{ id = target.app.output[0].type, src = "/${target.app.cache-from[1].type}/secret" },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dvdksn I'm not sure we have examples showing how to reference attributes. I think the example with cache-to = [ target.app.cache-from[0] ] is a good one.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a simpler example: https://docs.docker.com/build/bake/inheritance/#reusing-single-attributes-from-targets

We don't show interpolation though, maybe we should

@crazy-max crazy-max added this to the v0.20.0 milestone Dec 3, 2024
@jsternberg
Copy link
Collaborator Author

I'm going to put this into draft. I have a more complete fix for this but it'll also involve other changes.

@jsternberg jsternberg marked this pull request as draft December 6, 2024 16:40
@jsternberg jsternberg force-pushed the bake-cache-sensitive-attrs branch from 7a8ebdc to 71d0415 Compare December 6, 2024 18:46
@jsternberg jsternberg marked this pull request as ready for review December 6, 2024 19:07
@jsternberg
Copy link
Collaborator Author

Updated this PR pretty significantly.

I figured out how to make the FromCtyValue and ToCtyValue stuff work with type wrappers so I can now do:

type CacheOptions []*CacheOptionsEntry

And implement the custom logic with that. This took away some of the previous indirection that was making the code very difficult to deal with. Now the JSON marshaling will correctly skip empty slices and the cty value stuff works without exposing the system to null values.

I'm planning to extend this to the other ones too. I mostly ran into issues when I was trying to take the original approach in this PR and apply it to the outputs. It became too difficult to deal with all of the potential null locations.

@jsternberg jsternberg force-pushed the bake-cache-sensitive-attrs branch 2 times, most recently from 829e633 to 45ae61e Compare December 9, 2024 15:52
This refactors how the cache-from/cache-to composable attributes work so
they no longer print sensitive values that are automatically added.

This also expands the available syntax that works with the cache
options. It is now possible to interleave the csv syntax with the object
syntax without any problems. The canonical form is still the object
syntax and variables are resolved according to that syntax.

`cache-from` and `cache-to` now correctly ignore empty string inputs so
these can be used with variables.

Signed-off-by: Jonathan A. Sternberg <[email protected]>
@jsternberg
Copy link
Collaborator Author

Batching in this change with some other fixes too in #2814. I'll close this one.

@jsternberg jsternberg closed this Dec 9, 2024
@crazy-max crazy-max removed this from the v0.20.0 milestone Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[v0.19.0] bake: cache-to/cache-from attributes output credentials with --print
3 participants