PESTO provides a set of tools to ease the process of packaging a Python algorithm as a processing web service into a docker image. The deployment of a web service becomes now as easy as filling few configuration files.
The variable PIP_EXTRA_INDEX_URL is currently handled with a ENV inside the Dockerfile, which means that any credentials in this variables are leaked to the final image. Also, the PIP_INDEX_URL is not handled.
This feature request proposes to use a different mechanism to pass these credentials:
if DOCKER_BUILDKIT is defined, these variables can be passed using the --secret option, so that they don't appear anywhere in the final image.
in the other cases, the indexl-url variables can be passed using --build-arg options, they don't remain in the environment but they can be seen in the image layers, with docker inspect.
The variable
PIP_EXTRA_INDEX_URLis currently handled with aENVinside the Dockerfile, which means that any credentials in this variables are leaked to the final image. Also, thePIP_INDEX_URLis not handled.This feature request proposes to use a different mechanism to pass these credentials:
DOCKER_BUILDKITis defined, these variables can be passed using the--secretoption, so that they don't appear anywhere in the final image.--build-argoptions, they don't remain in the environment but they can be seen in the image layers, withdocker inspect.