fix(server): fix artifact export and build commands leak

Signed-off-by: Yaroslav Pershin <62902094+iapershin@users.noreply.github.com>

Author: iapershin

e2e/tests/flow/_fixtures/complete_cycle/trdl.yaml

@@ -1,6 +1,7 @@
 dockerImage: alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a
 commands:
-  - '[ "$(cat /run/secrets/secretId0)" = "secretData" ] || (echo "Env does not match the expected value" && exit 1)'
+  - '[ "$(cat /run/secrets/secretId0-test)" = "secretData" ] || (echo "output does not match the expected value" && exit 1)'
+  - '[ "$(cat /run/secrets/secretId1-test)" = "secretData" ] || (echo "output does not match the expected value" && exit 1)'
   - mkdir -p /result/any-any/bin
   - printf "echo {{ .Tag }}\n" > /result/any-any/bin/script.sh
   - mkdir -p /result/windows-any/bin

e2e/tests/flow/complete_cycle_test.go

@@ -225,7 +225,7 @@ var _ = Describe("Complete cycle", func() {
 			req.Path = "configure/build/secrets"
 			req.Operation = logical.CreateOperation
 			req.Data = map[string]interface{}{
-				"id":   fmt.Sprintf("secretId%d", i),
+				"id":   fmt.Sprintf("secretId%d-test", i),
 				"data": "secretData",
 			}
 			_, err = backend.HandleRequest(context.Background(), req)

server/pkg/docker/build.go

@@ -9,7 +9,7 @@ import (
 	"io"
 	"os/exec"
 	"path"
-	"strings"
+	"regexp"
 
 	"github.com/djherbis/buffer"
 	"github.com/djherbis/nio/v3"
@@ -91,7 +91,7 @@ func BuildReleaseArtifacts(ctx context.Context, opts BuildReleaseArtifactsOpts,
 		return fmt.Errorf("unable to set cli args: %w", err), nil
 	}
 
-	if err := RunCliBuild(contextReader, opts.TarWriter, args...); err != nil {
+	if err := RunCliBuild(ctx, contextReader, opts.TarWriter, args...); err != nil {
 		return fmt.Errorf("can't build artifacts: %w", err), nil
 	}
 
@@ -106,9 +106,9 @@ func BuildReleaseArtifacts(ctx context.Context, opts BuildReleaseArtifactsOpts,
 	return nil, cleanupFunc
 }
 
-func RunCliBuild(contextReader *nio.PipeReader, tarWriter *nio.PipeWriter, args ...string) error {
+func RunCliBuild(ctx context.Context, contextReader *nio.PipeReader, tarWriter *nio.PipeWriter, args ...string) error {
 	finalArgs := append([]string{"buildx", "build"}, args...)
-	cmd := exec.Command("docker", finalArgs...)
+	cmd := exec.CommandContext(ctx, "docker", finalArgs...)
 	cmd.Stdout = tarWriter
 	cmd.Stdin = contextReader
 
@@ -121,31 +121,54 @@ func RunCliBuild(contextReader *nio.PipeReader, tarWriter *nio.PipeWriter, args
 		return fmt.Errorf("error starting command: %w", err)
 	}
 
-	var stderr bytes.Buffer
-	io.Copy(&stderr, stderrPipe)
+	errSection, scanErr := extractRelevantLogs(stderrPipe)
+	if scanErr != nil {
+		return scanErr
+	}
 
 	if err := cmd.Wait(); err != nil {
-		var errMsg string
-		if stderr.Len() > 0 {
-			errMsg = extractErrorMessage(stderr.String())
+		if errSection.Len() == 0 {
+			return fmt.Errorf("build failed with error(s):\n%s\n%w", errSection.String(), err)
 		}
-		return fmt.Errorf("error executing command: %s %w", errMsg, err)
+		return fmt.Errorf("build failed:\n%s\n%w", errSection.String(), err)
 	}
 
 	return nil
 }
 
-func extractErrorMessage(stderr string) string {
-	scanner := bufio.NewScanner(strings.NewReader(stderr))
-	var errors []string
+// this needs for parsing buildx logs due to the fact that buildx writes all to stderr
+// it will look for the first error section of the logs that contains the error
+// or if not found just lines starts with "error:" or "ERROR:"
+func extractRelevantLogs(stderr io.ReadCloser) (bytes.Buffer, error) {
+	scanner := bufio.NewScanner(stderr)
+
+	var errSection bytes.Buffer
+	var foundSection bool
+	reSectionStart := regexp.MustCompile(`^------$`)
+	reError := regexp.MustCompile(`(?i)^error:`)
 
 	for scanner.Scan() {
 		line := scanner.Text()
-		if strings.HasPrefix(line, "ERROR:") || strings.HasPrefix(line, "error:") {
-			errors = append(errors, line)
+
+		if reSectionStart.MatchString(line) {
+			if errSection.Len() > 0 {
+				break
+			}
+			foundSection = true
 		}
+
+		if foundSection {
+			errSection.WriteString(line + "\n")
+		} else if reError.MatchString(line) {
+			errSection.WriteString(line + "\n")
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return errSection, fmt.Errorf("error reading stderr: %w", err)
 	}
-	return strings.Join(errors, " ")
+
+	return errSection, nil
 }
 
 func setCliArgs(serviceDockerfilePathInContext string, secrets []secrets.Secret) ([]string, error) {

server/pkg/docker/dockerfile.go

@@ -50,7 +50,8 @@ func generateDockerfile(fromImage string, runCommands []string, opts DockerfileO
 		data = append(data, []byte(line+"\n")...)
 	}
 
-	addLineFunc(fmt.Sprintf("FROM %s", fromImage))
+	// we use stages to reduce the size of output data to stdout
+	addLineFunc(fmt.Sprintf("FROM %s as builder", fromImage))
 
 	for labelName, labelVal := range opts.Labels {
 		addLineFunc(fmt.Sprintf("LABEL %s=%q", labelName, labelVal))
@@ -76,5 +77,10 @@ func generateDockerfile(fromImage string, runCommands []string, opts DockerfileO
 		}
 	}
 
+	// since we need only the artifacts from the build stage
+	// we use scratch as the final image containing ONLY artifacts
+	addLineFunc("FROM scratch")
+	addLineFunc(fmt.Sprintf("COPY --from=builder /%s /%s/", ContainerArtifactsDir, ContainerArtifactsDir))
+
 	return data
 }