Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v0.19.0] bake: cache-to/cache-from attributes output credentials with --print #2823

Open
crazy-max opened this issue Nov 27, 2024 · 1 comment · May be fixed by #2827
Open

[v0.19.0] bake: cache-to/cache-from attributes output credentials with --print #2823

crazy-max opened this issue Nov 27, 2024 · 1 comment · May be fixed by #2827
Assignees
@jsternberg
Labels
area/bake kind/bug Something isn't working
Milestone
v0.20.0

Comments

@crazy-max
Copy link
Member

crazy-max commented Nov 27, 2024
edited
Loading

also related to #2758

Give the following definition:

target "default" {
  cache-from = [
    "type=s3,region=eu-west-1,bucket=mybucket"
  ]
  cache-to = [
    "type=s3,region=eu-west-1,bucket=mybucket",
    "type=inline"
  ]
}

And using --print flag to output canonical representation:

$ AWS_ACCESS_KEY_ID=foo AWS_SECRET_ACCESS_KEY=bar docker buildx bake --print
#1 [internal] load local bake definitions
#1 reading docker-bake.hcl 266B / 266B done
#1 DONE 0.0s
{
  "target": {
    "default": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "cache-from": [
        {
          "access_key_id": "[REDACTED]",
          "bucket": "mybucket",
          "region": "eu-west-1",
          "secret_access_key": "[REDACTED]",
          "type": "s3"
        },
        {
          "ref": "user/repo:cache",
          "type": "registry"
        }
      ],
      "cache-to": [
        {
          "access_key_id": "[REDACTED]",
          "bucket": "mybucket",
          "region": "eu-west-1",
          "secret_access_key": "[REDACTED]",
          "type": "s3"
        },
        {
          "type": "inline"
        }
      ],
      "output": [
        {
          "type": "cacheonly"
        }
      ]
    }
  }
}

It prints the credentials where it should not (marked as [REDACTED].

With previous release:

$ AWS_ACCESS_KEY_ID=foo AWS_SECRET_ACCESS_KEY=bar docker buildx bake --print
#1 [internal] load local bake definitions
#1 reading ./__tests__/.fixtures/bake-03.hcl 266B / 266B done
#1 DONE 0.0s
{
  "target": {
    "default": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "cache-from": [
        "type=s3,region=eu-west-1,bucket=mybucket",
        "user/repo:cache"
      ],
      "cache-to": [
        "type=s3,region=eu-west-1,bucket=mybucket",
        "type=inline"
      ],
      "output": [
        "type=cacheonly"
      ]
    }
  }
}

Didn't check if secret attributes behaves in a similar way.
@crazy-max crazy-max added area/bake kind/bug Something isn't working labels Nov 27, 2024
@crazy-max crazy-max added this to the v0.19.1 milestone Nov 27, 2024
@crazy-max
Copy link
Member Author

Seems related to

buildx/util/buildflags/cache.go

Lines 119 to 120 in 71c7889

addGithubToken(e)
addAwsCredentials(e)

@crazy-max crazy-max changed the title bake: cache-to/cache-from attributes output credentials with --print since Buildx 0.19.0 [v0.19.0] bake: cache-to/cache-from attributes output credentials with --print Nov 27, 2024
@crazy-max crazy-max mentioned this issue Nov 27, 2024
Merged
@thompson-shaun thompson-shaun modified the milestones: v0.19.1, v0.20.0 Nov 27, 2024
This was referenced Nov 28, 2024
Draft
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsternberg jsternberg

Labels
area/bake kind/bug Something isn't working
Projects
None yet
Milestone
v0.20.0
Development

Successfully merging a pull request may close this issue.

bake: handle derived attributes crazy-max/buildx
3 participants
@jsternberg @crazy-max @thompson-shaun