Open burtonr opened 4 years ago
How Has This Been Tested?
Sorry about that, forgot to update the testing section before submitting. I've edited it and included the steps I took.
Did your package work as expected?
What was the command you used with faas-cli build
?
Does docker history --no-trunc <IMAGE>
show the contents of the file?
Updated the testing section to show the faas-cli build command used: faas build -f pvt-js11.yml --build-arg NPM_TOKEN=xxxxxxx
The output of docker history
only shows the sha of the file, no content. No values of the NPM_TOKEN
either:
sha256:6802d30af37ae78af70214a00299e8a54fba5795751dd3a9a368f62288bb2af0 About an hour ago /bin/sh -c #(nop) ARG NPM_TOKEN 0B
sha256:bd3ab33d233c864eb04effcf838bec51c187dae8dba1247253dbcd97d3f22c1e 14 hours ago /bin/sh -c #(nop) WORKDIR /home/app/function 0B
sha256:3e6b0a152dc79b5946b57915115a683994b8fa3bbc75ab44f83d61cbb7a58cb4 14 hours ago /bin/sh -c #(nop) COPY file:0e28bb7d81d3b1f1c6eb84b4b5b28a80771df9193aad14b0dc6466f26af2a3f7 in ./ 868B
sha256:e4693f54845a68de7d87112c0e455902c1c13959ef16d641e607037d803918f8 14 hours ago /bin/sh -c npm i --production 15.3kB
sha256:4333677f57b5b3fcee5532d6bfd015e18efa6a3addc548b61bd52da31a26383e 14 hours ago /bin/sh -c #(nop) COPY file:01ef0af5770d728c999ea083bbba183d61bbb53485bc8855fc0b9548d1a2c581 in ./
How would users pass the build arg? $(cat filename)
?
I think that's generally up to the user. It's possible to include it in the .npmrc
file, and not use the build-arg. Some may not even need the build arg if they're just using a different registry without needing to authenticate to pull.
Some articles I've read suggest using an environment variable.
The most secure would likely be your suggestion of keeping it in a file and cat-ing it out at build time to keep it out of the environment and terminal history.
Description
This change adds an empty .npmrc file to the node templates as well as adding the NPM_TOKEN build arg to allow users to specify a private npm registry, or pass credentials to the templates during build process.
Use of the NPM_TOKEN build arg means that the credentials are not stored with the images and remain secure once the function is built and deployed.
Using the
--build-arg
means that the.npmrc
file does not need to be removed during the build process, however, if there is concern with keeping the file, it would be trivial to add aRUN rm .npmrc
line to the Dockerfiles.Signed-off-by: Burton Rheutan rheutan7@gmail.com
Motivation and Context
Which issue(s) this PR fixes
Fixes #103
Also, makes permanent the workaround described in the faas issue https://github.com/openfaas/faas/issues/1025
How Has This Been Tested?
Tested this by creating a verdaccio registry, and creating a private package there. Then, created a new function that referenced that package and including the verdaccio registry in the
.npmrc
file. Invoked the function, and verified the output included the private package's output..npmrc file:
packages.json file:
Then, using faas-cli, ran the build with the
NPM_TOKEN
as a build-arg:Also, verified that not including the
NPM_TOKEN
had no effect on the build (only of course if the.npmrc
file didn't require it)Types of changes
Impact to existing users
None, as new templates will include an empty
.npmrc
file that need not have any content.Checklist:
git commit -s