Add support for git tokens, to be used for python dependencies from private git repos, in the main python template.

CC007 commented 2 years ago

Description

This change adds the ability to provide a GIT_TOKEN as a build argument. This git token is then set as an environment variable. Also the pip install code is moved to a builder stage.

Motivation and Context

The reason to make this GIT_TOKEN environment variable available, is so that it can be used when adding the following kind of dependency to requirements.txt:

git+https://${GITHUB_TOKEN}@github.com/user/project.git@{version}

[x] I have raised an issue to propose this change (required)

Which issue(s) this PR fixes

Fixes openfaas/faas#1723

How Has This Been Tested?

It has been tested by creating a python module in a private github repo (using this video as an instruction). Then I created a python project with a requirements.txt file that uses this private git repo as a dependency.

Types of changes

[ ] Bug fix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)
[ ] Version change (see: Impact to existing users)

Impact to existing users

This doesn't have any direct impact on the end users, as the resulting image will contain the same files. The image layers are slightly different though, due to the pip install commands being moved to a builder stage. This has a very small impact on how the layers are cached, but since the the default requirements.txt in the template doesn't have any dependencies, this doesn't matter all that much.

Checklist:

[x] My code follows the code style of this project. (I think? Is there such a thing as a Dockerfile code style?)
[ ] My change requires a change to the documentation. (Though explaining the ability to use the GIT_TOKEN would be nice)
[ ] I have updated the documentation accordingly.
[x] I've read the CONTRIBUTION guide
[x] I have signed-off my commits with git commit -s
[ ] I have added tests to cover my changes. (Not applicable I think?)
[x] All new and existing tests passed.

derek[bot] commented 2 years ago

Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.

Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.

:bulb: Shall we fix this?

This will only take a few moments.

First, clone your fork and checkout this branch using the git CLI.

Next, set up your real name and email address:

git config --global user.name "Your Full Name" git config --global user.email "you@domain.com"

Finally, run one of these commands to add the "Signed-off-by" line to your commits.

If you only have one commit so far then run: git commit --amend --signoff and then git push --force. If you have multiple commits, watch this video.

Check that the message has been added properly by running "git log".

derek[bot] commented 2 years ago

Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.

Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.

:bulb: Shall we fix this?

This will only take a few moments.

First, clone your fork and checkout this branch using the git CLI.

Next, set up your real name and email address:

git config --global user.name "Your Full Name" git config --global user.email "you@domain.com"

Finally, run one of these commands to add the "Signed-off-by" line to your commits.

If you only have one commit so far then run: git commit --amend --signoff and then git push --force. If you have multiple commits, watch this video.

Check that the message has been added properly by running "git log".

CC007 commented 2 years ago

Hmm, I found this article: https://pythonspeed.com/articles/docker-build-secrets/

Unfortunately build arguments are also embedded in the image [...] Technically you can work around this leak by using multi-stage builds, but that will result in slow builds, so I don’t recommend it.

So it would be safe with a multi-stage build like in this pull request, but it is recommended to use Buildkit's --secret feature instead...

I'm going to look into this, because this will also make sure that C/C++ dependencies like numpy and pandas work out of the box, because there is no need for a builder stage.

Since we are using an alpine-based image, Buildkit should be available, since it works for linux-based images.

alexellis commented 1 year ago

Thanks for the suggestions.

We had a customer ask for this, and we implemented it in OpenFaaS Pro

Introducing our new Python template for production.

openfaas / templates