You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I can see how this step would be helpful in debugging as you could see how the container is being configured. But this means any ENV variables are also outputted to the Cloudbuild log files. Since ENV variables often contain sensitive credentials this seem unwise.
At the most simple level might be a flag that someone can use to indicate if they want the Dockerfile to output for debugging. By default don't output but with a certain flag that can be given to the GAE deploy command (and therefore passed onto this generator) you get the best of both worlds. Secure by default but debugging output can be enabled.
Another option might be filter the values of all ENV variables from the Dockerfile output. This removes the complexity of a config option and 99% of the generated Dockerfile can be seen but the part that might contain sensitive data would just have something like:
As you can see this might over-reach some. The RAILS_ENV env variable is not sensitive. But the others become protected.
It just seems a shame that we have nice components like the Secrets Manager to store these secrets securely, CloudBuild can pull these secrets out via the 'avaliableSecrets' so we can pass it onto gcloud app deploy only to have all that effort undone by the stock build process.
The text was updated successfully, but these errors were encountered:
The ruby-generate-dockerfile container is used by Google App Engine to deploy Ruby/Rails applications. The last thing it does after generating the Dockerfile for the Ruby/Rails application is output the entire generated Dockerfile.
I can see how this step would be helpful in debugging as you could see how the container is being configured. But this means any ENV variables are also outputted to the Cloudbuild log files. Since ENV variables often contain sensitive credentials this seem unwise.
At the most simple level might be a flag that someone can use to indicate if they want the Dockerfile to output for debugging. By default don't output but with a certain flag that can be given to the GAE deploy command (and therefore passed onto this generator) you get the best of both worlds. Secure by default but debugging output can be enabled.
Another option might be filter the values of all ENV variables from the Dockerfile output. This removes the complexity of a config option and 99% of the generated Dockerfile can be seen but the part that might contain sensitive data would just have something like:
As you can see this might over-reach some. The
RAILS_ENV
env variable is not sensitive. But the others become protected.It just seems a shame that we have nice components like the Secrets Manager to store these secrets securely, CloudBuild can pull these secrets out via the 'avaliableSecrets' so we can pass it onto
gcloud app deploy
only to have all that effort undone by the stock build process.The text was updated successfully, but these errors were encountered: