Drone/drone-kaniko plugin build_args

Weasy · September 23, 2021, 3:47pm

Using drone/drone-kaniko i get a weird error/bug.

When i set it up in the pipeline like this

- name: 🔨🐳 build rust-nightly-alpine
  image: plugins/kaniko
  settings:
    username:
      from_secret: harbor_name
    password:
      from_secret: harbor_token
    context: .
    verbosity: info
    registry: hub.docker.io
    dockerfile: rust/builder/Alpine.dockerfile
    repo: some/repo
    tags: rust-nightly-alpine
    no_push: true
    build_args:
      CREATED:
      VERSION:
      GIT_REF: ${DRONE_COMMIT_SHA:0:7}
      GITEA_TOKEN:
          from_secret: gitea_token
      RUST_VERSION: nightly

then kaniko is run with the following command:

/kaniko/executor --dockerfile=rust/builder/Alpine.dockerfile --context=dir://. --build-arg={"CREATED":null --build-arg="GITEA_TOKEN":{"from_secret":"gitea_token"} --build-arg="GIT_REF":null --build-arg="RUST_VERSION":"nightly" --build-arg="VERSION":null} --digest-file=/kaniko/digest-file --no-push --verbosity=info

if you take a closer look, you will see, that the first --build-arg starts with a { and all following --build-args are then actually inside that “object/map” because the closing } is after the last --build-arg.

Is this a bug, or what am i doing wrong here?

bradrydzewski · September 23, 2021, 5:12pm

I believe the Kaniko plugin is based on the docker plugin. In the docker plugin builds_args is an array, where each array item is key=value format. Here is an example from the docker docs:

steps:
- name: docker  
  image: plugins/docker
  settings:
    username: kevinbacon
    password: pa55word
    repo: foo/bar
    build_args:
      - HTTP_PROXY=http://yourproxy.com

I am guessing the problem with your example is that build_args is a map structure as opposed to an array, and changing to an array would solve the problem.

Weasy · September 23, 2021, 8:07pm

Yeah, that would work, but that way i cannot use from_secret.
Would it be possible to change the plugin to accept both, array and map, for build_args?

bradrydzewski · September 23, 2021, 8:39pm

I cannot speak to changing this particular plugin but you can use with from_secret. You just need to supply the entire value as a secret:

steps:
  - name: docker  
    image: plugins/docker
    settings:
      username: kevinbacon
      password: pa55word
      repo: foo/bar
      build_args:
+       from_secret: my-secret

Since the secret is a string you would need to format the value as a comma-separated string of key-value items, like this:

FOO=BAR,BAZ=QUX

Weasy · September 24, 2021, 7:23am

Ok, thx for the info, nice to know that it is possible, but…that is more of a hack, because that way i would move all build-args into a secret, which nobody can inspect anymore and which has no version control.

I came here because the repo has no issue tracker and is under the drone organization. I think @shubham is the maintainer? So @shubham what do you think about making build-args work with an array and a map?

bradrydzewski · September 24, 2021, 1:23pm

from_secret only works with top level keys, meaning this works:

settings:
  foo:
    from_secret: bar

but this does not work:

settings:
  foo:
    bar:
      from_secret: baz

this is a limitation of drone, not a limitation of the plugin itself. So even if the plugin were modified to accept nested input you would still need a workaround to inject your secrets.

Weasy · September 27, 2021, 6:50am

Oh…hm…would this be something you could consider adding to drone? Or is to complicated to implement?