Genbox
Add .npmrc files to node templates
Description
This change adds an empty .npmrc file to the node templates as well as adding the NPM_TOKEN build arg to allow users to specify a private npm registry, or pass credentials to the templates during build process.
Use of the NPM_TOKEN build arg means that the credentials are not stored with the images and remain secure once the function is built and deployed.
Using the --build-arg means that the .npmrc file does not need to be removed during the build process, however, if there is concern with keeping the file, it would be trivial to add a RUN rm .npmrc line to the Dockerfiles.
Signed-off-by: Burton Rheutan [email protected]
Motivation and Context
- [X] I have raised an issue to propose this change (required) Several users have voiced a need to be able to install private npm packages in order to use the node templates. It was brought up in a few issues, in person, and in Slack.
Which issue(s) this PR fixes
Fixes #103
Also, makes permanent the workaround described in the faas issue https://github.com/openfaas/faas/issues/1025
How Has This Been Tested?
Tested this by creating a verdaccio registry, and creating a private package there. Then, created a new function that referenced that package and including the verdaccio registry in the .npmrc file. Invoked the function, and verified the output included the private package's output.
.npmrc file:
registry=http://br-npmreg.southcentralus.azurecontainer.io:4873
//br-npmreg.southcentralus.azurecontainer.io:4873/:_authToken=${NPM_TOKEN}
packages.json file:
...
"dependencies": {
"burtonr-test": "^1.0.3",
"moment": "^2.24.0"
}
}
Then, using faas-cli, ran the build with the NPM_TOKEN as a build-arg:
faas build -f pvt-js11.yml --build-arg NPM_TOKEN=xxxxxxx
Also, verified that not including the NPM_TOKEN had no effect on the build (only of course if the .npmrc file didn't require it)
Types of changes
- [X] Bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Version change (see: Impact to existing users)
Impact to existing users
None, as new templates will include an empty .npmrc file that need not have any content.
Checklist:
- [X] My code follows the code style of this project.
- [X] My change requires a change to the documentation.
- I've updated the "welcome message" on the templates, but will need another PR to add notes in the docs as there is no readme for individual templates
- [X] I have updated the documentation accordingly.
- [X] I've read the CONTRIBUTION guide
- [X] I have signed-off my commits with
git commit -s - [ ] I have added tests to cover my changes.
- [X] All new and existing tests passed.
Sorry about that, forgot to update the testing section before submitting. I've edited it and included the steps I took.
Did your package work as expected?
What was the command you used with faas-cli build?
Does docker history --no-trunc <IMAGE> show the contents of the file?
Updated the testing section to show the faas-cli build command used: faas build -f pvt-js11.yml --build-arg NPM_TOKEN=xxxxxxx
The output of docker history only shows the sha of the file, no content. No values of the NPM_TOKEN either:
sha256:6802d30af37ae78af70214a00299e8a54fba5795751dd3a9a368f62288bb2af0 About an hour ago /bin/sh -c #(nop) ARG NPM_TOKEN 0B
sha256:bd3ab33d233c864eb04effcf838bec51c187dae8dba1247253dbcd97d3f22c1e 14 hours ago /bin/sh -c #(nop) WORKDIR /home/app/function 0B
sha256:3e6b0a152dc79b5946b57915115a683994b8fa3bbc75ab44f83d61cbb7a58cb4 14 hours ago /bin/sh -c #(nop) COPY file:0e28bb7d81d3b1f1c6eb84b4b5b28a80771df9193aad14b0dc6466f26af2a3f7 in ./ 868B
sha256:e4693f54845a68de7d87112c0e455902c1c13959ef16d641e607037d803918f8 14 hours ago /bin/sh -c npm i --production 15.3kB
sha256:4333677f57b5b3fcee5532d6bfd015e18efa6a3addc548b61bd52da31a26383e 14 hours ago /bin/sh -c #(nop) COPY file:01ef0af5770d728c999ea083bbba183d61bbb53485bc8855fc0b9548d1a2c581 in ./
I think that's generally up to the user. It's possible to include it in the .npmrc file, and not use the build-arg. Some may not even need the build arg if they're just using a different registry without needing to authenticate to pull.
Some articles I've read suggest using an environment variable.
The most secure would likely be your suggestion of keeping it in a file and cat-ing it out at build time to keep it out of the environment and terminal history.