Skip to content

Commit

Permalink
feat(giterminism): add build secrets (#6436)
Browse files Browse the repository at this point in the history
Signed-off-by: Yaroslav Pershin <62902094+iapershin@users.noreply.github.com>
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
Co-authored-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
  • Loading branch information
iapershin and alexey-igrychev authored Nov 25, 2024
1 parent 51ae036 commit 266dc99
Show file tree
Hide file tree
Showing 7 changed files with 90 additions and 2 deletions.
5 changes: 5 additions & 0 deletions pkg/config/raw_image_from_dockerfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,11 @@ func (c *rawImageFromDockerfile) toImageFromDockerfileDirective(giterminismManag
return nil, fmt.Errorf("duplicated secret id %s", v)
}

err = secret.InspectByGiterminism(giterminismManager)
if err != nil {
return nil, newDetailedConfigError(err.Error(), nil, c.doc)
}

secretArg, err := secret.GetSecretStringArg()
if err != nil {
return nil, err
Expand Down
19 changes: 17 additions & 2 deletions pkg/config/secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,14 @@ import (
"os"
"path/filepath"
"time"

"github.com/werf/werf/v2/pkg/giterminism_manager"
)

type Secret interface {
GetSecretStringArg() (string, error)
GetSecretId() string
InspectByGiterminism(giterminismManager giterminism_manager.Interface) error
}

type SecretFromEnv struct {
Expand Down Expand Up @@ -60,14 +63,14 @@ func newSecretFromPlainValue(s *rawSecret) (*SecretFromPlainValue, error) {

func (s *SecretFromEnv) GetSecretStringArg() (string, error) {
if _, exists := os.LookupEnv(s.Value); !exists {
return "", fmt.Errorf("specified env variable doesn't exist")
return "", fmt.Errorf("specified secret env %q doesn't exist", s.Value)
}
return fmt.Sprintf("id=%s,env=%s", s.Id, s.Value), nil
}

func (s *SecretFromSrc) GetSecretStringArg() (string, error) {
if _, err := os.Stat(s.Value); errors.Is(err, os.ErrNotExist) {
return "", fmt.Errorf("path %s doesn't exist", s.Value)
return "", fmt.Errorf("specified secret path %s doesn't exist", s.Value)
}
return fmt.Sprintf("id=%s,src=%s", s.Id, s.Value), nil
}
Expand Down Expand Up @@ -109,3 +112,15 @@ func (s *SecretFromSrc) GetSecretId() string {
func (s *SecretFromPlainValue) GetSecretId() string {
return s.Id
}

func (s *SecretFromEnv) InspectByGiterminism(giterminismManager giterminism_manager.Interface) error {
return giterminismManager.Inspector().InspectConfigSecretEnvAccepted(s.Value)
}

func (s *SecretFromSrc) InspectByGiterminism(giterminismManager giterminism_manager.Interface) error {
return giterminismManager.Inspector().InspectConfigSecretSrcAccepted(s.Value)
}

func (s *SecretFromPlainValue) InspectByGiterminism(giterminismManager giterminism_manager.Interface) error {
return nil
}
23 changes: 23 additions & 0 deletions pkg/giterminism_manager/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"encoding/json"
"fmt"
"regexp"
"slices"
"strings"

"github.com/werf/werf/v2/pkg/path_matcher"
Expand Down Expand Up @@ -100,6 +101,14 @@ func (c Config) UncommittedHelmFilePathMatcher() path_matcher.PathMatcher {
return c.Helm.UncommittedHelmFilePathMatcher()
}

func (c Config) IsConfigSecretEnvAccepted(name string) bool {
return c.Config.Secrets.IsEnvNameAccepted(name)
}

func (c Config) IsConfigSecretSrcAccepted(path string) bool {
return c.Config.Secrets.IsAllowSecretsFileAccepted(path)
}

type cli struct {
AllowCustomTags bool `json:"allowCustomTags"`
}
Expand All @@ -108,6 +117,7 @@ type config struct {
AllowUncommitted bool `json:"allowUncommitted"`
AllowUncommittedTemplates []string `json:"allowUncommittedTemplates"`
GoTemplateRendering goTemplateRendering `json:"goTemplateRendering"`
Secrets secrets `json:"secrets"`
Stapel stapel `json:"stapel"`
Dockerfile dockerfile `json:"dockerfile"`
}
Expand Down Expand Up @@ -208,3 +218,16 @@ func pathMatcher(patterns []string) path_matcher.PathMatcher {
return path_matcher.NewFalsePathMatcher()
}
}

type secrets struct {
AllowEnvVariables []string `json:"allowEnvVariables"`
AllowFiles []string `json:"allowFiles"`
}

func (s *secrets) IsEnvNameAccepted(name string) bool {
return slices.Contains(s.AllowEnvVariables, name)
}

func (s *secrets) IsAllowSecretsFileAccepted(path string) bool {
return isPathMatched(s.AllowFiles, path)
}
33 changes: 33 additions & 0 deletions pkg/giterminism_manager/inspector/config_secrets.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package inspector

import (
"fmt"
)

var secretsErrMsg = `secret %q is not allowed by giterminism
Using env and file secrets complicates the sharing and reproducibility of the configuration in CI jobs and among developers.`

func (i Inspector) InspectConfigSecretEnvAccepted(secret string) error {
if i.sharedOptions.LooseGiterminism() {
return nil
}

if i.giterminismConfig.IsConfigSecretEnvAccepted(secret) {
return nil
}

return NewExternalDependencyFoundError(fmt.Sprintf(secretsErrMsg, secret))
}

func (i Inspector) InspectConfigSecretSrcAccepted(secret string) error {
if i.sharedOptions.LooseGiterminism() {
return nil
}

if i.giterminismConfig.IsConfigSecretSrcAccepted(secret) {
return nil
}

return NewExternalDependencyFoundError(fmt.Sprintf(secretsErrMsg, secret))
}
2 changes: 2 additions & 0 deletions pkg/giterminism_manager/inspector/inspector.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ type giterminismConfig interface {
IsConfigStapelMountBuildDirAccepted() bool
IsConfigStapelMountFromPathAccepted(fromPath string) bool
IsConfigDockerfileContextAddFileAccepted(relPath string) bool
IsConfigSecretEnvAccepted(name string) bool
IsConfigSecretSrcAccepted(path string) bool
}

type fileReader interface {
Expand Down
2 changes: 2 additions & 0 deletions pkg/giterminism_manager/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,6 @@ type Inspector interface {
InspectConfigStapelMountFromPath(fromPath string) error
InspectConfigDockerfileContextAddFile(relPath string) error
InspectBuildContextFiles(ctx context.Context, matcher path_matcher.PathMatcher) error
InspectConfigSecretEnvAccepted(secret string) error
InspectConfigSecretSrcAccepted(secret string) error
}
8 changes: 8 additions & 0 deletions test/e2e/build/_fixtures/simple/state1/werf-giterminism.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
giterminismConfigVersion: 1

config:
secrets:
allowEnvVariables:
- "ENV_SECRET"
allowFiles:
- "./file"

0 comments on commit 266dc99

Please sign in to comment.