Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ci): Changed the process of token getting. From docker arguments … #5131

Merged
merged 5 commits into from
Jan 31, 2024
Merged

fix(ci): Changed the process of token getting. From docker arguments … #5131

merged 5 commits into from
Jan 31, 2024

Conversation

AliaksandrRyzhou
Copy link
Contributor

What change does this PR introduce?

Docker containers always try to build enterprise version. Here it was suggested to use double quotes instead of single so it actually works as intended. But if we change single quotes to double quotes the variable BULL_MQ_PRO_NPM_TOKEN will be visible every time during a docker build process. Even if we try to hide it the Docker build best practice doesn't recommend to use arguments and environment variables for secret values. Anyone can take a look at this values using "docker image history" ot "docker inspect"

Why was this change needed?

  • Closes 5052
  • It should securely leverage the Bullmq pro token to correctly identify if we are building the community or enterprise edition.
  • Build arguments and environment variables are inappropriate for passing secrets to your build, because they persist in the final image. Instead, should use secret mounts or SSH mounts, which expose secrets to your builds securely.

@AliaksandrRyzhou AliaksandrRyzhou self-assigned this Jan 30, 2024
@linear Linear
Copy link

linear bot commented Jan 30, 2024

INF-184 🐛 Bug Report: Docker containers always try to build enterprise version

@netlify Netlify
Copy link

netlify bot commented Jan 30, 2024
edited
Loading

Deploy Preview for dev-web-novu failed.

Name Link
🔨 Latest commit 707b02f
🔍 Latest deploy log https://app.netlify.com/sites/dev-web-novu/deploys/65ba0cb6e76ddb00082303a7

@github-actions github-actions bot added the CI/CD label Jan 30, 2024
LetItRock
LetItRock approved these changes Jan 30, 2024
View reviewed changes
Copy link
Contributor

@LetItRock LetItRock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me! 🔥
maybe before merging these changes to next we can try the full deployment to the dev env? and we can also verify that the images that are built include the bullmq-pro package in the node_modules.

@AliaksandrRyzhou
Copy link
Contributor Author

looks good to me! 🔥

maybe before merging these changes to next we can try the full deployment to the dev env? and we can also verify that the images that are built include the bullmq-pro package in the node_modules.

This is a very good idea Pawel. I'll do as you say

@scopsy
Copy link
Contributor

scopsy commented Jan 30, 2024

Just as a small note, it's not really a huge issues since the ee dockers are in the private repository. But I totally agree that it's a better practice

@AliaksandrRyzhou AliaksandrRyzhou merged commit 28dd9e8 into next Jan 31, 2024
23 of 28 checks passed
@AliaksandrRyzhou AliaksandrRyzhou deleted the inf-184-docker-enterprise-security-bugfix branch January 31, 2024 12:30
@AliaksandrRyzhou AliaksandrRyzhou mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LetItRock LetItRock LetItRock approved these changes

@scopsy scopsy Awaiting requested review from scopsy

@Cliftonz Cliftonz Awaiting requested review from Cliftonz

Assignees

@AliaksandrRyzhou AliaksandrRyzhou

Labels
bug Something isn't working CI/CD @novu/api @novu/inbound-mail @novu/worker @novu/ws security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AliaksandrRyzhou @scopsy @LetItRock