refactor(deployment): rename method for modifying Dockerfile to improve clarity and streamline build secrets integration
This commit is contained in:
Andras Bacsai
@@ -2340,7 +2340,7 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue
|
|||||||
]);
|
]);
|
||||||
if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
|
if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
|
||||||
// Modify the nixpacks Dockerfile to use build secrets
|
// Modify the nixpacks Dockerfile to use build secrets
|
||||||
$this->modify_nixpacks_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
$this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
||||||
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
||||||
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->build_image_name} {$this->workdir}";
|
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->build_image_name} {$this->workdir}";
|
||||||
} elseif ($this->dockerBuildkitSupported) {
|
} elseif ($this->dockerBuildkitSupported) {
|
||||||
@@ -2359,7 +2359,7 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue
|
|||||||
]);
|
]);
|
||||||
if ($this->dockerBuildkitSupported) {
|
if ($this->dockerBuildkitSupported) {
|
||||||
// Modify the nixpacks Dockerfile to use build secrets
|
// Modify the nixpacks Dockerfile to use build secrets
|
||||||
$this->modify_nixpacks_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
$this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
||||||
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
||||||
$build_command = "DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->build_image_name} {$this->workdir}";
|
$build_command = "DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->build_image_name} {$this->workdir}";
|
||||||
} else {
|
} else {
|
||||||
@@ -2385,8 +2385,9 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue
|
|||||||
$this->execute_remote_command([executeInDocker($this->deployment_uuid, 'rm /artifacts/thegameplan.json'), 'hidden' => true]);
|
$this->execute_remote_command([executeInDocker($this->deployment_uuid, 'rm /artifacts/thegameplan.json'), 'hidden' => true]);
|
||||||
} else {
|
} else {
|
||||||
// Dockerfile buildpack
|
// Dockerfile buildpack
|
||||||
if ($this->dockerBuildkitSupported) {
|
if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
|
||||||
// Use BuildKit with secrets
|
// Modify the Dockerfile to use build secrets
|
||||||
|
$this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
|
||||||
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
||||||
if ($this->force_rebuild) {
|
if ($this->force_rebuild) {
|
||||||
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}";
|
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}";
|
||||||
@@ -2456,8 +2457,9 @@ COPY ./nginx.conf /etc/nginx/conf.d/default.conf");
|
|||||||
} else {
|
} else {
|
||||||
// Pure Dockerfile based deployment
|
// Pure Dockerfile based deployment
|
||||||
if ($this->application->dockerfile) {
|
if ($this->application->dockerfile) {
|
||||||
if ($this->dockerBuildkitSupported) {
|
if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
|
||||||
// Use BuildKit with secrets (only if secrets exist)
|
// Modify the Dockerfile to use build secrets
|
||||||
|
$this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
|
||||||
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
||||||
if ($this->force_rebuild) {
|
if ($this->force_rebuild) {
|
||||||
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}";
|
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}";
|
||||||
@@ -2501,7 +2503,7 @@ COPY ./nginx.conf /etc/nginx/conf.d/default.conf");
|
|||||||
]);
|
]);
|
||||||
if ($this->dockerBuildkitSupported) {
|
if ($this->dockerBuildkitSupported) {
|
||||||
// Modify the nixpacks Dockerfile to use build secrets
|
// Modify the nixpacks Dockerfile to use build secrets
|
||||||
$this->modify_nixpacks_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
$this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
||||||
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
||||||
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}";
|
$build_command = "DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}";
|
||||||
} else {
|
} else {
|
||||||
@@ -2517,7 +2519,7 @@ COPY ./nginx.conf /etc/nginx/conf.d/default.conf");
|
|||||||
]);
|
]);
|
||||||
if ($this->dockerBuildkitSupported) {
|
if ($this->dockerBuildkitSupported) {
|
||||||
// Modify the nixpacks Dockerfile to use build secrets
|
// Modify the nixpacks Dockerfile to use build secrets
|
||||||
$this->modify_nixpacks_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
$this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
|
||||||
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
|
||||||
$build_command = "DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}";
|
$build_command = "DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}";
|
||||||
} else {
|
} else {
|
||||||
@@ -2747,57 +2749,53 @@ COPY ./nginx.conf /etc/nginx/conf.d/default.conf");
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private function modify_nixpacks_dockerfile_for_secrets($dockerfile_path)
|
private function modify_dockerfile_for_secrets($dockerfile_path)
|
||||||
{
|
{
|
||||||
// Only process if build secrets are enabled and we have secrets to mount
|
// Only process if build secrets are enabled and we have secrets to mount
|
||||||
if (! $this->application->settings->use_build_secrets || empty($this->build_secrets)) {
|
if (! $this->application->settings->use_build_secrets || empty($this->build_secrets)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Read the nixpacks-generated Dockerfile
|
// Read the Dockerfile
|
||||||
$this->execute_remote_command([
|
$this->execute_remote_command([
|
||||||
executeInDocker($this->deployment_uuid, "cat {$dockerfile_path}"),
|
executeInDocker($this->deployment_uuid, "cat {$dockerfile_path}"),
|
||||||
'hidden' => true,
|
'hidden' => true,
|
||||||
'save' => 'nixpacks_dockerfile',
|
'save' => 'dockerfile_content',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$dockerfile = collect(str($this->saved_outputs->get('nixpacks_dockerfile'))->trim()->explode("\n"));
|
$dockerfile = str($this->saved_outputs->get('dockerfile_content'))->trim()->explode("\n");
|
||||||
|
|
||||||
// Add BuildKit syntax directive if not present
|
// Add BuildKit syntax directive if not present
|
||||||
$firstLine = $dockerfile->first();
|
if (! str_starts_with($dockerfile->first(), '# syntax=')) {
|
||||||
if (! str_starts_with($firstLine, '# syntax=')) {
|
|
||||||
$dockerfile->prepend('# syntax=docker/dockerfile:1');
|
$dockerfile->prepend('# syntax=docker/dockerfile:1');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the list of available secrets
|
// Get environment variables for secrets
|
||||||
$variables = $this->pull_request_id === 0
|
$variables = $this->pull_request_id === 0
|
||||||
? $this->application->environment_variables()->where('key', 'not like', 'NIXPACKS_%')->get()
|
? $this->application->environment_variables()->where('key', 'not like', 'NIXPACKS_%')->get()
|
||||||
: $this->application->environment_variables_preview()->where('key', 'not like', 'NIXPACKS_%')->get();
|
: $this->application->environment_variables_preview()->where('key', 'not like', 'NIXPACKS_%')->get();
|
||||||
|
|
||||||
$modified = false;
|
if ($variables->isEmpty()) {
|
||||||
$dockerfile = $dockerfile->map(function ($line) use ($variables, &$modified) {
|
return;
|
||||||
$trim = ltrim($line);
|
}
|
||||||
|
|
||||||
if (str_contains($line, '--mount=type=secret')) {
|
// Generate mount strings for all secrets
|
||||||
|
$mountStrings = $variables->map(fn ($env) => "--mount=type=secret,id={$env->key},env={$env->key}")->implode(' ');
|
||||||
|
|
||||||
|
$modified = false;
|
||||||
|
$dockerfile = $dockerfile->map(function ($line) use ($mountStrings, &$modified) {
|
||||||
|
$trimmed = ltrim($line);
|
||||||
|
|
||||||
|
// Skip lines that already have secret mounts or are not RUN commands
|
||||||
|
if (str_contains($line, '--mount=type=secret') || ! str_starts_with($trimmed, 'RUN')) {
|
||||||
return $line;
|
return $line;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (str_starts_with($trim, 'RUN')) {
|
// Add mount strings to RUN command
|
||||||
$mounts = [];
|
$originalCommand = trim(substr($trimmed, 3));
|
||||||
foreach ($variables as $env) {
|
$modified = true;
|
||||||
$mounts[] = "--mount=type=secret,id={$env->key},env={$env->key}";
|
|
||||||
}
|
|
||||||
|
|
||||||
if (! empty($mounts)) {
|
return "RUN {$mountStrings} {$originalCommand}";
|
||||||
$mountString = implode(' ', $mounts);
|
|
||||||
$originalCommand = trim(substr($trim, 3));
|
|
||||||
|
|
||||||
$line = "RUN {$mountString} {$originalCommand}";
|
|
||||||
$modified = true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return $line;
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if ($modified) {
|
if ($modified) {
|
||||||
@@ -2808,7 +2806,7 @@ COPY ./nginx.conf /etc/nginx/conf.d/default.conf");
|
|||||||
'hidden' => true,
|
'hidden' => true,
|
||||||
]);
|
]);
|
||||||
|
|
||||||
$this->application_deployment_queue->addLogEntry('Modified Dockerfile to use build secrets: '.$dockerfile->implode("\n"), hidden: true);
|
$this->application_deployment_queue->addLogEntry('Modified Dockerfile to use build secrets.');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user