add --with-env flag to publish command #12482
Conversation
|
@aevesdocker can you check if the new error message is ok for you? 😇 🙏 |
|
@ndeloof I wonder if we should not just set all env variables to empty strings when publishing? 🤔 |
this flag allow publishing env variables in the Compose OCI artifact Signed-off-by: Guillaume Lours <[email protected]>
glours
force-pushed
the
add-with-env-flag-publish
branch
from
beb234e to
72bde6f
Compare
| " or remove sensitive data from your Compose configuration", service.Name) | ||
| } | ||
| if len(service.Environment) > 0 { | ||
| return fmt.Errorf("service %q has environment variable(s) declared. To avoid leaking sensitive data, "+ |
There was a problem hiding this comment.
service.environment may be set with a fixed value, not relying on any interpolation. Typically:
db:
image: mysql
environment:
MYSQL_DATABASE: avatar
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db-password
those should not prevent compose file to be published, right ?
There was a problem hiding this comment.
In fact yes that should prevent from publishing by default because you can also have MYSQL_ROOT_PASSWORD: mySuperSecretPassword defined the same way
There was a problem hiding this comment.
I wonder the approach is correct.
IIUC the goal is to detect the compose file doesn't require env var to be set by user / risk user environment to leak. To prevent this, better load the compose model without any variable passed to interpolation, which will fail if some is needed.
this flag allow publishing env variables in the Compose OCI artifact
What I did
Add
--with-envflag to let user explicitly optin the publication of env variables in the OCI artifactRelated issue
https://docker.atlassian.net/browse/COMP-873
(not mandatory) A picture of a cute animal, if possible in relation to what you did
