You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR changes the opa_tag Docker build argument to the opa_image Docker build argument.
The opa_image build argument allows for arbitrary docker images to be included in the opal standalone client as opposed to only an arbitrary tag. This makes it easier to integrate custom builds of opa within the opal-client by allowing to specify a different docker image repository other than the official openpolicyagent/opa repository. Custom opa builds may be needed for custom opa plugin integration.
This build argument allows for arbitrary docker images to be included in
the opal standalone client. This makes it easier to integrate a custom build
of opa within the opal-client.
This is as secure as the input to the build argument opa_image is.
I understand your concerns, but do not think that this poses a high security risk, given the assumption that the input to the opa_image build argument is correctly parsed.
One thing we could do here though, is to split opa_image into 2 separate build arguments opa_image and opa_tag. opa_image would contain the default string openpolicyagent/opa. opa_tag would contain the default string latest-static.
The docker image reference would then be constructed using docker://${opa_image}:${opa_tag}.
In this way one who only want to change the official opa tag, could only use the opa_tag build argument and is safe again, as the opa_image build argument does not need to be specified and defaults to openpolicyagent/opa.
@orishavit I've added the opa_tag argument again to ensure a more fine grained control over the opa docker image source repository. Any updates on wether this can be merged? Please let me know :)
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an improvement on top of #316 .
This PR changes the
opa_tagDocker build argument to theopa_imageDocker build argument.The
opa_imagebuild argument allows for arbitrary docker images to be included in the opal standalone client as opposed to only an arbitrary tag. This makes it easier to integrate custom builds of opa within the opal-client by allowing to specify a different docker image repository other than the officialopenpolicyagent/oparepository. Custom opa builds may be needed for custom opa plugin integration.