ecr-assets: can't use docker build options like --ssh/--secret available when BUILDKIT is enabled #14910
Comments
hizvi
added
feature-request
SoManyHs
changed the title
github-actions
bot
added
the
@aws-cdk/assets
|
@SoManyHs can you comment on why this is an ecr-assets issue? |
|
Seems like a useful addition, contributions are welcome. |
eladb
changed the title
github-actions
bot
added
the
@aws-cdk/assets
|
Lack of support for BuildKit options like
None of the modern docker args like those for BuildKit are explicitly supported via options params, and there's no mechanism for decorating any CDK-created docker commands with additional args to allow for CLI updates that haven't been coded for yet in the CDK. In the meantime, I've posted a placeholder solution for my use cases to this gist: https://gist.github.com/rob3c/8bf845918bc5270c5e22da0674081f90 It has functions Here's sample usage showing lambda code built using BuildKit new aws_lambda.Function(this, 'MyLambda', {
runtime: aws_lambda.Runtime.DOTNET_CORE_3_1,
code: assetCodeFromDockerBuildKitBuild(buildContextDir, {
buildArgs: { CONFIG: 'Release' },
secrets: { nuget_config: 'NuGetPrivateFeed.Config' },
additionalArgs: {
'--progress': 'plain',
'--ssh': 'myserver=$HOME/.ssh/myserver_rsa',
},
}),
handler: 'MyAssembly::MyNamespace.MyHandlerClass::MyHandlerMethod',
}); |
|
@peterwoodworth @eladb How can I achieve the same effect as "DOCKER_BUILDKIT=1 docker build --secret id=aws,src=$HOME/.aws/credentials --progress=plain" through awscdk/awsecrassets asset := awsecrassets.NewDockerImageAsset(stack, jsii.String("dockerImage"), &awsecrassets.DockerImageAssetProps{
Directory: jsii.String(path.Join(dir, "./app")),
})I really need to pass aws/credentials when building the docker image, because I want to import another aws codecommit (golang project) as a module. |
@hxy1991 See my message and the gist I posted a link to. There are functions that produce |
|
@eladb as a simple half step to adding all the new BuildKit args, would a generic |
|
@rob3c Would you know how to use your code with an |
|
Buildkit is now the default in Docker for Mac. This means pretty much any of the docker build integrations currently across cdk won't work. |
|
It seem currently cdk not support with ssh/secret option. |
|
Please work on this, this is a blocker for my team |
Partially closes #14910 and #14395 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
|
@hizvi could this issue be reopened? It has only been partially solved: the |
docker build options
--ssh/--secretcan not be used withaws-ecs.AssetImageoraws-ecr-assets.DockerImageAssetthese options are available with docker build when
DOCKER_BUILDKIT=1is enabled.Use Case
Docker image builds may require access to private resources that require ssh keys and/or secrets. Docker BuildKit allows mounting them safely.
Proposed Solution
The docker utility in cdk already has options for build args and such. the
--sshand--secretoptions can be implemented similarly.Other
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: