Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow access to go internal modules #12312

Merged
merged 2 commits into from
Nov 12, 2024
Merged

Allow access to go internal modules #12312

merged 2 commits into from
Nov 12, 2024

Conversation

KacperMalachowski
Copy link
Contributor

Description

Changes proposed in this pull request:

  • Add option to setup access to go internal modules, while using ADO backend

@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 6, 2024
dekiel
dekiel requested changes Nov 6, 2024
View reviewed changes
Copy link
Contributor

@dekiel dekiel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we mount .netrc file always? If user would like to use it, they must copy it from build context to the image $HOME directory. This additional parameter would be not needed then.

@KacperMalachowski
Copy link
Contributor Author

KacperMalachowski commented Nov 7, 2024
edited
Loading

Can we mount .netrc file always? If user would like to use it, they must copy it from build context to the image $HOME directory. This additional parameter would be not needed then.

In theory yes, but I prefer not.
Implicitly changing the build context content doesn't look right for me.

Also putting it always allows malicious actors to get it from any kyma module through PR with a crafted Dockerfile. In the proposed setup only kyma modules which explicitly enabled this option are somehow vulnerable (that reduces the attack surface to mostly or even only modules hosted on internal GitHub).

Another option would be to implement the check that will fail the pipeline if . netrc was mentioned with e.g. cat command.

@dekiel
Copy link
Contributor

dekiel commented Nov 8, 2024

You're right requiring to explicitly enable access to private modules would be safer. Trying to prevent printing .netrc or private module content seems not efficient, there is probably many ways to print the content. It would be hard to address all of them.

I'm thinking how we can secure the .netrc file further. If we would run go mod vendor before the build step, then the content of private modules will be accessible from vendor directory, but the .netrc. file will not be present in build context. This way users will not have access to the credentials stored in a file. What's your opinion?

@KacperMalachowski
Copy link
Contributor Author

KacperMalachowski commented Nov 8, 2024
edited
Loading

@dekiel That sounds good to me. I wasn't aware of go mod vendor to be honest, but the quick research looks promising.
With that approach we can drop the parameter as well.

@dekiel
Copy link
Contributor

dekiel commented Nov 8, 2024

The parameter could stay. This way our private code wont be always accessible in build process and the user will have choice if use a go mod vendor or let go build get modules. I wasn't using go mod vendor much. We can test this approach for scenarios requiring private modules and later consider changing an image builder to always use it.

dekiel
dekiel requested changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@dekiel dekiel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add test for SetUseGoInternalModules function.

@kyma-bot kyma-bot added the lgtm Looks good to me! label Nov 12, 2024
@kyma-bot kyma-bot merged commit fd0d938 into kyma-project:main Nov 12, 2024
38 checks passed
@dekiel dekiel assigned KacperMalachowski and unassigned dekiel Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dekiel dekiel dekiel approved these changes

@neighbors-dev-bot neighbors-dev-bot Awaiting requested review from neighbors-dev-bot neighbors-dev-bot is a code owner

@szumejker szumejker Awaiting requested review from szumejker szumejker is a code owner automatically assigned from kyma-project/prow

Assignees

@KacperMalachowski KacperMalachowski

Labels
cla: yes Indicates the PR's author has signed the CLA. lgtm Looks good to me! size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KacperMalachowski @dekiel @kyma-bot