Closed rosskevin closed 6 years ago
Derek add label: proposal
I would accept a PR for an additional --build-arg parameter to be passed to Docker. It would not be a YAML override though. It does raise some issues around when we want to use other services to run a faas-cli build which may not support --build-arg such as some of the interfaces for Moby's Buildkit (used in OpenFaaS Cloud).
FYI: build-time secrets or mounted files are not to my knowledge supported by Docker. A build-arg should be hidden from the final image but you should check this.
This is a show-stopper
This is overly dramatic language so I will give some more context around the various options for building your Node functions with OpenFaaS.
docker build
Any Docker image as long as it has the watchdog will work with OpenFaaS - this gives you 100% of the control on how you build and manage your images and where you do the builds is up to you. Full control.
@LucasRoesler as Contiamo builds his functions via a service he created in Go. It's easy to connect to Docker in Go and issue build statements. Again this would allow you to re-use all the templates and customize it ad infinitum.
In this scenario you build via faas-cli build
but can either use an official template or fork it for your language i.e. TypeScript.
Nothing stops you from wrapping faas-cli as part of a grunt or gulp task or some other process to pull your private npm modules and to place them in the correct place for the build. In fact this is probably your optimum solution outside of a PR.
Related: #262 #355
FYI: build-time secrets or mounted files are not to my knowledge supported by Docker. A build-arg should be hidden from the final image but you should check this.
https://docs.docker.com/engine/reference/commandline/build/
--build-arg | | Set build-time variables
- intent that these are ephemeral and not saved anywhere, therefore docker supports a built time secret through this mechanism. They do not have a vault or any other support for secrets, but this works for the simple cases where a secret is passed via environment variable.
With with official or custom templates
You cannot use with templates with secrets and faas-cli build
if you cannot communicate the secret --build-arg
to docker build
. If you could faas-build --without-docker
then you could follow it up with your own docker build --build-arg
command. Otherwise, using templates means - as I mentioned - replicating the faas-cli build
- which is doable but not desirable.
Unfortunately I'm not a go
developer, proficient to expert in java, ruby, javascript, but not go
- and I've got plenty on my plate so I won't be submitting a PR. I know this subject and am happy to pitch in knowledge and research if someone would like to take this up.
Since I want to use templates, it will be faster for me to replicate the faas-cli build
process externally.
Looks like faas-cli build --shrinkwrap
may be what I'm looking for in terms of merging code with a template (and without docker build
), then I can follow up with custom build commands.
So --shrinkwrap
also looks useful for your use-case.
Unfortunately I'm not a go developer, proficient to expert in java, ruby, javascript, but not go - and I've got plenty on my plate so I won't be submitting a PR. I know this subject and am happy to pitch in knowledge and research if someone would like to take this up.
That would count as a contribution too.
I think the argument can be added reasonably quickly but I would ask for help testing it. Do you think having it only as a CLI argument would suit your use-case?
CLI-only arg is fine. I'm happy to test direct from a fork.
@ross code is pushed up / tested in this branch - https://github.com/openfaas/faas-cli/pull/364
You probably want @rosskevin :grin:
Hey @alexellis - thanks for the work on this. I'm going to pull and try and get this tested now before I leave - will be gone until Monday. Will get back to you shortly.
Fixed and released 👍
Thanks for input from everyone on the thread
@feynmanliang
Users can pass --build-arg
now with arbitrary data and then consume it with an ARG
line inside their Dockerfile.
https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact
/lock: resolved
Expected Behaviour
faas-cli build
is responsible to for building the docker image amongst other things. To build a docker image that relies on any secret, the recommended way is with--build-arg FOO=${FOO}
.Here is a walkthrough of such a docker image build setup for node and an npm private package: https://docs.npmjs.com/private-modules/docker-and-private-modules
Without a change,
faas-cli build
cannot be used for functions that use both templates and private packages requiring secrets to build.Current Behaviour
Possible Solution
A minimal solution is any
--build-arg
is passed throughfaas-cli build
todocker build
, this prevents secrets from neither being stored in any file nor any docker image layer.Steps to Reproduce (for bugs)
faas-cli build --build-arg NPM_TOKEN=${NPM_TOKEN}
Context
Cannot use openfaas with a private npm package.
This is a show-stopper as far as I know since all our code is private. The only workaround I can think of would be if I manually replicate the
faas-build
process. There may be another alternative but I am not aware of anything that could safely build with a secret. Perhaps going back to a complicated OnVault dockerfile would get it done, but I think this is a solution easily solved by allowing args to be passed through todocker build
in some way.Your Environment
Docker version
docker version
(e.g. Docker 17.0.05 ): 18.03.0Are you using Docker Swarm or Kubernetes (FaaS-netes)? Swarm for dev
Operating System and version (e.g. Linux, Windows, MacOS): MacOS
Link to your project or a code example to reproduce issue: