feat(build): add clearUser and clearWorkingDir options to imageSpec config (#6759)

Signed-off-by: Yaroslav Pershin <62902094+iapershin@users.noreply.github.com>
Co-authored-by: Aleksei Igrychev <aleksei.igrychev@palark.com>

Author: iapershin

Diff for: docs/_data/werf_yaml.yml

@@ -425,7 +425,7 @@ sections:
                   ru: Список переменных окружения для добавления
                 detailsLink: "https://docs.docker.com/engine/reference/builder/#env"
               - name: removeEnv
-                value: "[string, ...]"
+                value: "[ string || /REGEXP/, ... ]"
                 description:
                   en: List of environment variables to remove
                   ru: Список переменных окружения для удаления

Diff for: pkg/build/stage/image_spec.go

@@ -39,10 +39,10 @@ func GenerateImageSpecStage(imageSpec *config.ImageSpec, baseStageOptions *BaseS
 }
 
 func newImageSpecStage(imageSpec *config.ImageSpec, baseStageOptions *BaseStageOptions) *ImageSpecStage {
-	s := &ImageSpecStage{}
-	s.imageSpec = imageSpec
-	s.BaseStage = NewBaseStage(ImageSpec, baseStageOptions)
-	return s
+	return &ImageSpecStage{
+		imageSpec: imageSpec,
+		BaseStage: NewBaseStage(ImageSpec, baseStageOptions),
+	}
 }
 
 func (s *ImageSpecStage) IsBuildable() bool {
@@ -56,67 +56,55 @@ func (s *ImageSpecStage) IsMutable() bool {
 func (s *ImageSpecStage) PrepareImage(ctx context.Context, _ Conveyor, _ container_backend.ContainerBackend, prevBuiltImage, stageImage *StageImage, _ container_backend.BuildContextArchiver) error {
 	if s.imageSpec != nil {
 		imageInfo := prevBuiltImage.Image.GetStageDesc().Info
+		newConfig := s.baseConfig()
 
-		newConfig := image.Config{
-			Author:     s.imageSpec.Author,
-			User:       s.imageSpec.User,
-			Entrypoint: s.imageSpec.Entrypoint,
-			Cmd:        s.imageSpec.Cmd,
-			WorkingDir: s.imageSpec.WorkingDir,
-			StopSignal: s.imageSpec.StopSignal,
-		}
-
-		// Entrypoint and Cmd handling.
 		{
-			// If CMD is defined from the base image, setting ENTRYPOINT will reset CMD to an empty value.
-			// In this scenario, CMD must be defined in the current image to have a value.
-			// rel https://docs.docker.com/reference/dockerfile/#understand-how-cmd-and-entrypoint-interact
-			if s.imageSpec.Entrypoint != nil {
-				newConfig.Entrypoint = s.imageSpec.Entrypoint
-				if s.imageSpec.Cmd == nil {
-					newConfig.ClearCmd = true
-				}
-			}
-
-			if s.imageSpec.Cmd != nil {
-				newConfig.Cmd = s.imageSpec.Cmd
+			// labels
+			resultLabels, err := s.modifyLabels(ctx, imageInfo.Labels, s.imageSpec.Labels, s.imageSpec.RemoveLabels, s.imageSpec.KeepEssentialWerfLabels)
+			if err != nil {
+				return fmt.Errorf("unable to modify labels: %s", err)
 			}
-
-			newConfig.ClearCmd = newConfig.ClearCmd || s.imageSpec.ClearCmd
-			newConfig.ClearEntrypoint = newConfig.ClearEntrypoint || s.imageSpec.ClearEntrypoint
+			newConfig.Labels = resultLabels
 		}
 
-		resultLabels, err := s.modifyLabels(ctx, imageInfo.Labels, s.imageSpec.Labels, s.imageSpec.RemoveLabels, s.imageSpec.KeepEssentialWerfLabels)
-		if err != nil {
-			return fmt.Errorf("unable to modify labels: %s", err)
+		{
+			// envs
+			resultEnvs, err := modifyEnv(imageInfo.Env, s.imageSpec.RemoveEnv, s.imageSpec.Env)
+			if err != nil {
+				return fmt.Errorf("unable to modify env: %w", err)
+			}
+			newConfig.Env = resultEnvs
 		}
 
-		newConfig.Labels = resultLabels
-		newConfig.Env, err = modifyEnv(imageInfo.Env, s.imageSpec.RemoveEnv, s.imageSpec.Env)
-		if err != nil {
-			return fmt.Errorf("unable to modify env: %w", err)
+		{
+			// volumes
+			newConfig.Volumes = modifyVolumes(imageInfo.Volumes, s.imageSpec.RemoveVolumes, s.imageSpec.Volumes)
 		}
-		newConfig.Volumes = modifyVolumes(imageInfo.Volumes, s.imageSpec.RemoveVolumes, s.imageSpec.Volumes)
 
-		if s.imageSpec.Expose != nil {
-			newConfig.ExposedPorts = make(map[string]struct{}, len(s.imageSpec.Expose))
-			for _, expose := range s.imageSpec.Expose {
-				newConfig.ExposedPorts[expose] = struct{}{}
+		{
+			// expose
+			if s.imageSpec.Expose != nil {
+				newConfig.ExposedPorts = make(map[string]struct{}, len(s.imageSpec.Expose))
+				for _, expose := range s.imageSpec.Expose {
+					newConfig.ExposedPorts[expose] = struct{}{}
+				}
 			}
 		}
 
-		if s.imageSpec.Healthcheck != nil {
-			newConfig.HealthConfig = &image.HealthConfig{
-				Test:        s.imageSpec.Healthcheck.Test,
-				Interval:    toDuration(s.imageSpec.Healthcheck.Interval),
-				Timeout:     toDuration(s.imageSpec.Healthcheck.Timeout),
-				StartPeriod: toDuration(s.imageSpec.Healthcheck.StartPeriod),
-				Retries:     s.imageSpec.Healthcheck.Retries,
+		{
+			// healthcheck
+			if s.imageSpec.Healthcheck != nil {
+				newConfig.HealthConfig = &image.HealthConfig{
+					Test:        s.imageSpec.Healthcheck.Test,
+					Interval:    toDuration(s.imageSpec.Healthcheck.Interval),
+					Timeout:     toDuration(s.imageSpec.Healthcheck.Timeout),
+					StartPeriod: toDuration(s.imageSpec.Healthcheck.StartPeriod),
+					Retries:     s.imageSpec.Healthcheck.Retries,
+				}
 			}
 		}
 
-		newConfig.ClearHistory = s.imageSpec.ClearHistory
-
+		// set config
 		stageImage.Image.SetImageSpecConfig(&newConfig)
 	}
 
@@ -150,72 +138,79 @@ func (s *ImageSpecStage) GetDependencies(_ context.Context, _ Conveyor, _ contai
 	args = append(args, s.imageSpec.StopSignal)
 	args = append(args, fmt.Sprint(s.imageSpec.Healthcheck))
 
-	return util.Sha256Hash(args...), nil
-}
-
-func (s *ImageSpecStage) modifyLabels(ctx context.Context, labels, addLabels map[string]string, removeLabels []string, keepEssentialWerfLabels bool) (map[string]string, error) {
-	if labels == nil {
-		labels = make(map[string]string)
+	if s.imageSpec.ClearUser {
+		args = append(args, fmt.Sprint(s.imageSpec.ClearUser))
 	}
 
-	serviceLabels := s.stageImage.Image.GetBuildServiceLabels()
-	labels = util.MergeMaps(labels, serviceLabels)
-
-	processedAddLabels := make(map[string]string, len(addLabels))
-	data := labelsTemplateData{
-		Project: s.projectName,
-		Image:   s.imageName,
+	if s.imageSpec.ClearWorkingDir {
+		args = append(args, fmt.Sprint(s.imageSpec.ClearWorkingDir))
 	}
 
-	for key, value := range addLabels {
-		newKey, newValue, err := replaceLabelTemplate(key, value, data)
-		if err != nil {
-			return nil, err
-		}
-		processedAddLabels[newKey] = newValue
+	if s.imageSpec.KeepEssentialWerfLabels {
+		args = append(args, fmt.Sprint(s.imageSpec.KeepEssentialWerfLabels))
 	}
 
-	labels = util.MergeMaps(labels, processedAddLabels)
+	return util.Sha256Hash(args...), nil
+}
 
-	exactMatches := make(map[string]struct{})
-	var regexPatterns []*regexp.Regexp
+func (s *ImageSpecStage) baseConfig() image.Config {
+	newConfig := image.Config{
+		Author:          s.imageSpec.Author,
+		User:            s.imageSpec.User,
+		Entrypoint:      s.imageSpec.Entrypoint,
+		Cmd:             s.imageSpec.Cmd,
+		WorkingDir:      s.imageSpec.WorkingDir,
+		StopSignal:      s.imageSpec.StopSignal,
+		ClearHistory:    s.imageSpec.ClearHistory,
+		ClearUser:       s.imageSpec.ClearUser,
+		ClearWorkingDir: s.imageSpec.ClearWorkingDir,
+	}
 
-	for _, pattern := range removeLabels {
-		if strings.HasPrefix(pattern, "/") && strings.HasSuffix(pattern, "/") {
-			expr := fmt.Sprintf("^%s$", pattern[1:len(pattern)-1])
-			re, err := regexp.Compile(expr)
-			if err != nil {
-				return nil, err
+	// Entrypoint and Cmd handling.
+	{
+		// If CMD is defined from the base image, setting ENTRYPOINT will reset CMD to an empty value.
+		// In this scenario, CMD must be defined in the current image to have a value.
+		// rel https://docs.docker.com/reference/dockerfile/#understand-how-cmd-and-entrypoint-interact
+		if s.imageSpec.Entrypoint != nil {
+			newConfig.Entrypoint = s.imageSpec.Entrypoint
+			if s.imageSpec.Cmd == nil {
+				newConfig.ClearCmd = true
 			}
-			regexPatterns = append(regexPatterns, re)
-		} else {
-			exactMatches[pattern] = struct{}{}
 		}
-	}
 
-	matchFunc := func(key string) bool {
-		if _, found := exactMatches[key]; found {
-			return true
+		if s.imageSpec.Cmd != nil {
+			newConfig.Cmd = s.imageSpec.Cmd
 		}
-		for _, re := range regexPatterns {
-			if re.MatchString(key) {
-				return true
-			}
-		}
-		return false
+
+		newConfig.ClearCmd = newConfig.ClearCmd || s.imageSpec.ClearCmd
+		newConfig.ClearEntrypoint = newConfig.ClearEntrypoint || s.imageSpec.ClearEntrypoint
+	}
+	return newConfig
+}
+
+func (s *ImageSpecStage) modifyLabels(ctx context.Context, labels, addLabels map[string]string, removeLabels []string, keepEssentialWerfLabels bool) (map[string]string, error) {
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+
+	serviceLabels := s.stageImage.Image.GetBuildServiceLabels()
+	labels = util.MergeMaps(labels, serviceLabels)
+
+	exactMatches, regexPatterns, err := compileRemovePatterns(removeLabels)
+	if err != nil {
+		return nil, err
 	}
 
 	shouldPrintGlobalWarn := false
 	for key := range labels {
-		if !matchFunc(key) {
+		if !matchKey(key, exactMatches, regexPatterns) {
 			continue
 		}
 
 		if key == image.WerfLabel || key == image.WerfParentStageID {
 			if !keepEssentialWerfLabels {
 				shouldPrintGlobalWarn = true
 			}
-
 			continue
 		}
 
@@ -226,6 +221,22 @@ func (s *ImageSpecStage) modifyLabels(ctx context.Context, labels, addLabels map
 		global_warnings.GlobalWarningLn(ctx, werfLabelsGlobalWarning)
 	}
 
+	processedAddLabels := make(map[string]string, len(addLabels))
+	data := labelsTemplateData{
+		Project: s.projectName,
+		Image:   s.imageName,
+	}
+
+	for key, value := range addLabels {
+		newKey, newValue, err := replaceLabelTemplate(key, value, data)
+		if err != nil {
+			return nil, err
+		}
+		processedAddLabels[newKey] = newValue
+	}
+
+	labels = util.MergeMaps(labels, processedAddLabels)
+
 	return labels, nil
 }
 
@@ -281,11 +292,17 @@ func modifyEnv(env, removeKeys []string, addKeysMap map[string]string) ([]string
 		"WERF_COMMIT_TIME_UNIX",
 	}...)
 
-	for _, key := range removeKeys {
-		delete(baseEnvMap, key)
+	exactMatches, regexPatterns, err := compileRemovePatterns(removeKeys)
+	if err != nil {
+		return nil, err
+	}
+
+	for key := range baseEnvMap {
+		if matchKey(key, exactMatches, regexPatterns) {
+			delete(baseEnvMap, key)
+		}
 	}
 
-	// FIXME: (v3) This is a temporary solution to remove werf SSH_AUTH_SOCK that persist after build.
 	if envValue, hasEnv := baseEnvMap[ssh_agent.SSHAuthSockEnv]; hasEnv && envValue == container_backend.SSHContainerAuthSockPath {
 		delete(baseEnvMap, ssh_agent.SSHAuthSockEnv)
 	}
@@ -330,3 +347,35 @@ func sortSliceWithNewSlice(original []string) []string {
 func toDuration(seconds int) time.Duration {
 	return time.Duration(seconds) * time.Second
 }
+
+func compileRemovePatterns(removePatterns []string) (map[string]struct{}, []*regexp.Regexp, error) {
+	exactMatches := make(map[string]struct{})
+	var regexPatterns []*regexp.Regexp
+
+	for _, pattern := range removePatterns {
+		if strings.HasPrefix(pattern, "/") && strings.HasSuffix(pattern, "/") {
+			expr := fmt.Sprintf("^%s$", pattern[1:len(pattern)-1])
+			re, err := regexp.Compile(expr)
+			if err != nil {
+				return nil, nil, err
+			}
+			regexPatterns = append(regexPatterns, re)
+		} else {
+			exactMatches[pattern] = struct{}{}
+		}
+	}
+
+	return exactMatches, regexPatterns, nil
+}
+
+func matchKey(key string, exactMatches map[string]struct{}, regexPatterns []*regexp.Regexp) bool {
+	if _, found := exactMatches[key]; found {
+		return true
+	}
+	for _, re := range regexPatterns {
+		if re.MatchString(key) {
+			return true
+		}
+	}
+	return false
+}