New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kaniko's --build-arg accepts only literal values #713
Comments
Looks like we're facing same issue - kaniko executor does not expand environment variables passed through |
Running into the same issue as well. @osnagovskyi @tassosv how have you worked around this? |
Same issue here, any workaround? |
maybe something like this? using bash as the entrypoint and the |
I'm in fact running kaniko in docker in a bash script like this:
So it is not related to cloud build... |
came across this thread while researching kaniko use on GitLab CI. was concerned this would impact me, but i'm unable to reproduce using the i've posted what i'm using below. hopefully it helps someone
|
Same issue here, prevents us from using kaniko at the moment. |
Same here, only way I could find in order to pass secrets via environment variables is via sh on kaniko:debug for now. Here's how I'm doing it for example, both for using envvars for authenticating against gitlab for my context, but also as buildargs:
|
Any update regarding this? |
We're running into this issue as well, preventing us from using kaniko with cloudbuild securely without major changes to use google's secrets options or something which we don't want to do since we already have a secrets management system. The tool itself is awesome, any updates on whether or not it's being worked would be great. This is essentially what we need to work and its confirmed working with a hardcoded token.
|
I not sure if I'm understanding this issue correctly but here's what I've found test Dockerfile
test script
test command output To me, that seems like it is working.
In general; I think build arg expansion would have to be done by whatever shell is invoking |
@cvgw Build arg in kaniko is working as posix argument. The fact is, docker provides argument expansion. When you specify an argument such as That can be useful in the following context: consider you use kaniko in a ci context (such as gitlab) with a variable set in group/project, containing something like a ssh key as it is mentionned here, either you will have to escape invalid characters, or you could rely on a build argument expansion. I can do a PR to implement it as I've started to do it to use tes it locally. See my commit |
@antechrestos I think adding the short form (argument expansion) that |
Confirmed working ❤️
|
Are you aware that the values of build args are stored in the Docker image history? Anyone with access to the Docker image can inspect the history and extract secrets passed as build args. |
@sisp That is why secrets are encrypted, see original post. |
@ncri Do you mean this one? #713 (comment) I don't see anything about encrypted secrets. How would encrypted secrets passed via build args work? Could you give an example? |
@sisp yes, that one, you can see it here:
So the secret is not passed directly, but encrypted using googles Cloud Key Management Service. The |
@ncri I still don't see how the secret provided to the Docker/Kaniko build process as a build arg should not end up in the Docker image history. To clarify what I mean, let's consider the following example:
Or am I missing something? |
@sisp you might be right, yes, the docker history image will show the decrypted secret. So you still need to take care that you limit access to the images, that are usually placed on the google container registry. The purpose of encrypting the secrets is only to prevent having to check in sensitive data to your code repository. Anyway, might not be the right place to discuss this here. ;-) |
@ncri Okay, thanks for clarifying this. I'll open a separate issue about this problem. |
I just checked the Docker image history of an image built with Kaniko and it seems Kaniko does not add the build arg value to the history. I wonder whether this is intended. I'll open an issue about this difference to |
this worked for me cloudbuild.yaml
and in docker
|
🙏 @Ahmed3laa Genius, this worked for me also 👍 |
Actual behavior
Using encrypted variables is working fine with cloud build image.
Docker also supports copying a value from the environment by just specifying NAME1.
But if I switch to kaniko, it doesn't pass the secret values as a build argument. Kaniko works only when I pass constant value, eg NAME=value.
Expected behavior
Be able to use the same way as docker does, the environment variables on Kaniko
To Reproduce
command:
gcloud builds submit --config=cloudbuild-kaniko.yaml .
Dockerfile:
FROM busybox
ARG THE_SECRET
RUN echo "::${THE_SECRET}::"
cloudbuild-kaniko.yaml:
steps:
name: 'gcr.io/cloud-builders/docker'
entrypoint: "bash"
args: ['-c', 'echo "$$THE_SECRET"']
secretEnv: ['THE_SECRET']
name: 'gcr.io/kaniko-project/executor:latest'
args:
secretEnv: ['THE_SECRET']
secrets:
secretEnv:
THE_SECRET: XXXXXX
The text was updated successfully, but these errors were encountered: