bake: cache-from/cache-to options no longer print sensitive values #2833
Conversation
jsternberg
force-pushed
the
bake-cache-sensitive-attrs
branch
6 times, most recently
from
c15110e to
7a8ebdc
Compare
bake/hcl_test.go
Outdated
| @@ -674,7 +674,7 @@ func TestHCLAttrsCapsuleTypeVars(t *testing.T) { | |||
| output = [ "type=oci,dest=../${foo}.tar" ] | |||
|
|
|||
| secret = [ | |||
| { id = target.app.output[0].type, src = "/local/secret" }, | |||
| { id = target.app.output[0].type, src = "/${target.app.cache-from[1].type}/secret" }, | |||
There was a problem hiding this comment.
@dvdksn I'm not sure we have examples showing how to reference attributes. I think the example with cache-to = [ target.app.cache-from[0] ] is a good one.
There was a problem hiding this comment.
We have a simpler example: https://docs.docker.com/build/bake/inheritance/#reusing-single-attributes-from-targets
We don't show interpolation though, maybe we should
|
I'm going to put this into draft. I have a more complete fix for this but it'll also involve other changes. |
jsternberg
force-pushed
the
bake-cache-sensitive-attrs
branch
from
7a8ebdc to
71d0415
Compare
|
Updated this PR pretty significantly. I figured out how to make the And implement the custom logic with that. This took away some of the previous indirection that was making the code very difficult to deal with. Now the JSON marshaling will correctly skip empty slices and the cty value stuff works without exposing the system to null values. I'm planning to extend this to the other ones too. I mostly ran into issues when I was trying to take the original approach in this PR and apply it to the outputs. It became too difficult to deal with all of the potential null locations. |
jsternberg
force-pushed
the
bake-cache-sensitive-attrs
branch
2 times, most recently
from
829e633 to
45ae61e
Compare
This refactors how the cache-from/cache-to composable attributes work so they no longer print sensitive values that are automatically added. This also expands the available syntax that works with the cache options. It is now possible to interleave the csv syntax with the object syntax without any problems. The canonical form is still the object syntax and variables are resolved according to that syntax. `cache-from` and `cache-to` now correctly ignore empty string inputs so these can be used with variables. Signed-off-by: Jonathan A. Sternberg <[email protected]>
jsternberg
force-pushed
the
bake-cache-sensitive-attrs
branch
from
45ae61e to
59fa21a
Compare
|
Batching in this change with some other fixes too in #2814. I'll close this one. |
This refactors how the cache-from/cache-to composable attributes work so they no longer print sensitive values that are automatically added.
This also expands the available syntax that works with the cache options. It is now possible to interleave the csv syntax with the object syntax without any problems. The canonical form is still the object syntax and variables are resolved according to that syntax.
cache-fromandcache-tonow correctly ignore empty string inputs so these can be used with variables.Fixes #2823.
Partial fix for #2822.