Skip to content

Support for passing through raw buildkit policies #1628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jedevc merged 1 commit into from
May 9, 2023
Merged

Support for passing through raw buildkit policies #1628

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions bake/bake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1145,6 +1145,11 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
}
bo.Attests = controllerapi.CreateAttestations(attests)

bo.SourcePolicy, err = build.ReadSourcePolicy()
if err != nil {
return nil, err
}

return bo, nil
}

Expand Down
32 changes: 30 additions & 2 deletions build/build.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import (
"github.com/moby/buildkit/session/upload/uploadprovider"
"github.com/moby/buildkit/solver/errdefs"
"github.com/moby/buildkit/solver/pb"
spb "github.com/moby/buildkit/sourcepolicy/pb"
"github.com/moby/buildkit/util/apicaps"
"github.com/moby/buildkit/util/entitlements"
"github.com/moby/buildkit/util/progress/progresswriter"
Expand Down Expand Up @@ -92,8 +93,9 @@ type Options struct {
Session []session.Attachable

// Linked marks this target as exclusively linked (not requested by the user).
Linked bool
PrintFunc *PrintFunc
Linked bool
PrintFunc *PrintFunc
SourcePolicy *spb.Policy
}

type PrintFunc struct {
Expand Down Expand Up @@ -427,6 +429,7 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
CacheExports: cacheTo,
CacheImports: cacheFrom,
AllowedEntitlements: opt.Allow,
SourcePolicy: opt.SourcePolicy,
}

if opt.CgroupParent != "" {
Expand Down Expand Up @@ -1661,3 +1664,28 @@ func saveLocalState(so client.SolveOpt, opt Options, node builder.Node, configDi

return nil
}

// ReadSourcePolicy reads a source policy from a file.
// The file path is taken from EXPERIMENTAL_BUILDKIT_SOURCE_POLICY env var.
// if the env var is not set, this `returns nil, nil`
func ReadSourcePolicy() (*spb.Policy, error) {
p := os.Getenv("EXPERIMENTAL_BUILDKIT_SOURCE_POLICY")
if p == "" {
return nil, nil
}

data, err := os.ReadFile(p)
Comment on lines +1672 to +1677
Copy link
Copy Markdown
Contributor

@tianon tianon May 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I wanted to update this to also allow passing the policy itself via environment variable,

  1. would such a change be considered?

  2. should that be implemented with this same variable (some kind of fallback either after reading the file or after trying to parse the JSON string?) or via a different variable?

😇

Copy link
Copy Markdown
Member

@tonistiigi tonistiigi May 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would such a change be considered?

I think this could be a bit messy to pass a big json/proto value with env. Any other option that would avoid creating temp file if that is the issue?

@cpuguy83

Copy link
Copy Markdown
Contributor

@tianon tianon May 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess something like EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=<(... generate policy here ...) docker buildx build ... would probably work, given we read the entire file all at once and don't make any assumptions about it being an actual file (like trying to seek or something).

if err != nil {
return nil, errors.Wrap(err, "failed to read policy file")
}
var pol spb.Policy
if err := json.Unmarshal(data, &pol); err != nil {
// maybe it's in protobuf format?
e2 := pol.Unmarshal(data)
if e2 != nil {
return nil, errors.Wrap(err, "failed to parse source policy")
}
}

return &pol, nil
}
5 changes: 5 additions & 0 deletions commands/build.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,11 @@ func (o *buildOptions) toControllerOptions() (*controllerapi.BuildOptions, error
}
}

opts.SourcePolicy, err = build.ReadSourcePolicy()
if err != nil {
return nil, err
}

inAttests := append([]string{}, o.attests...)
if o.provenance != "" {
inAttests = append(inAttests, buildflags.CanonicalizeAttest("provenance", o.provenance))
Expand Down
2 changes: 2 additions & 0 deletions controller/build/build.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build

opts.Attests = controllerapi.CreateAttestations(in.Attests)

opts.SourcePolicy = in.SourcePolicy

allow, err := buildflags.ParseEntitlements(in.Allow)
if err != nil {
return nil, nil, err
Expand Down
Loading