feat: add image user option

Signed-off-by: Maxime Brunet <max@brnt.mx>
2025-04-07 21:38:44 +02:00 · 2024-03-23 12:58:03 -07:00 · 2024-03-23 12:58:03 -07:00 · ac22328979
commit ac22328979
parent 6541f6e217
10 changed files with 41 additions and 0 deletions
--- a/docs/reference/ko_apply.md
+++ b/docs/reference/ko_apply.md
@ -54,6 +54,7 @@ ko apply -f FILENAME [flags]
      --image-annotation strings   Which annotations (key=value[,key=value]) to add to the OCI manifest.
      --image-label strings        Which labels (key=value[,key=value]) to add to the image.
      --image-refs string          Path to file where a list of the published image references will be written.
+      --image-user string          The default user the image should be run as.
      --insecure-registry          Whether to skip TLS verification on the registry
  -j, --jobs int                   The maximum number of concurrent builds (default GOMAXPROCS)
  -L, --local                      Load into images to local docker daemon.
--- a/docs/reference/ko_build.md
+++ b/docs/reference/ko_build.md
@ -50,6 +50,7 @@ ko build IMPORTPATH... [flags]
      --image-annotation strings   Which annotations (key=value[,key=value]) to add to the OCI manifest.
      --image-label strings        Which labels (key=value[,key=value]) to add to the image.
      --image-refs string          Path to file where a list of the published image references will be written.
+      --image-user string          The default user the image should be run as.
      --insecure-registry          Whether to skip TLS verification on the registry
  -j, --jobs int                   The maximum number of concurrent builds (default GOMAXPROCS)
  -L, --local                      Load into images to local docker daemon.
--- a/docs/reference/ko_create.md
+++ b/docs/reference/ko_create.md
@ -54,6 +54,7 @@ ko create -f FILENAME [flags]
      --image-annotation strings   Which annotations (key=value[,key=value]) to add to the OCI manifest.
      --image-label strings        Which labels (key=value[,key=value]) to add to the image.
      --image-refs string          Path to file where a list of the published image references will be written.
+      --image-user string          The default user the image should be run as.
      --insecure-registry          Whether to skip TLS verification on the registry
  -j, --jobs int                   The maximum number of concurrent builds (default GOMAXPROCS)
  -L, --local                      Load into images to local docker daemon.
--- a/docs/reference/ko_resolve.md
+++ b/docs/reference/ko_resolve.md
@ -47,6 +47,7 @@ ko resolve -f FILENAME [flags]
      --image-annotation strings   Which annotations (key=value[,key=value]) to add to the OCI manifest.
      --image-label strings        Which labels (key=value[,key=value]) to add to the image.
      --image-refs string          Path to file where a list of the published image references will be written.
+      --image-user string          The default user the image should be run as.
      --insecure-registry          Whether to skip TLS verification on the registry
  -j, --jobs int                   The maximum number of concurrent builds (default GOMAXPROCS)
  -L, --local                      Load into images to local docker daemon.
--- a/docs/reference/ko_run.md
+++ b/docs/reference/ko_run.md
@ -38,6 +38,7 @@ ko run IMPORTPATH [flags]
      --image-annotation strings   Which annotations (key=value[,key=value]) to add to the OCI manifest.
      --image-label strings        Which labels (key=value[,key=value]) to add to the image.
      --image-refs string          Path to file where a list of the published image references will be written.
+      --image-user string          The default user the image should be run as.
      --insecure-registry          Whether to skip TLS verification on the registry
  -j, --jobs int                   The maximum number of concurrent builds (default GOMAXPROCS)
  -L, --local                      Load into images to local docker daemon.
--- a/pkg/build/gobuild.go
+++ b/pkg/build/gobuild.go
@ -103,6 +103,7 @@ type gobuild struct {
 	dir                  string
 	labels               map[string]string
 	annotations          map[string]string
+	user                 string
 	debug                bool
 	semaphore            *semaphore.Weighted

@ -129,6 +130,7 @@ type gobuildOpener struct {
 	platforms            []string
 	labels               map[string]string
 	annotations          map[string]string
+	user                 string
 	dir                  string
 	jobs                 int
 	debug                bool
@ -151,6 +153,7 @@ func (gbo *gobuildOpener) Open() (Interface, error) {
 	return &gobuild{
 		ctx:                  gbo.ctx,
 		getBase:              gbo.getBase,
+		user:                 gbo.user,
 		creationTime:         gbo.creationTime,
 		kodataCreationTime:   gbo.kodataCreationTime,
 		build:                gbo.build,
@ -1172,6 +1175,10 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 		cfg.Config.Labels[k] = v
 	}

+	if g.user != "" {
+		cfg.Config.User = g.user
+	}
+
 	empty := v1.Time{}
 	if g.creationTime != empty {
 		cfg.Created = g.creationTime
--- a/pkg/build/gobuild_test.go
+++ b/pkg/build/gobuild_test.go
@ -846,6 +846,7 @@ func TestGoBuild(t *testing.T) {
 		WithLabel("hello", "world"),
 		WithAnnotation("fizz", "buzz"),
 		WithAnnotation("goodbye", "world"),
+		WithUser("1234:1234"),
 		WithPlatforms("all"),
 	)
 	if err != nil {
@ -921,6 +922,19 @@ func TestGoBuild(t *testing.T) {
 			t.Fatalf("Annotations diff (-got,+want): %s", d)
 		}
 	})
+
+	t.Run("check user", func(t *testing.T) {
+		cfg, err := img.ConfigFile()
+		if err != nil {
+			t.Fatalf("ConfigFile() = %v", err)
+		}
+
+		want := "1234:1234"
+		got := cfg.Config.User
+		if got != want {
+			t.Fatalf("User: %s != %s", want, got)
+		}
+	})
 }

 func TestGoBuild_Defaults(t *testing.T) {
--- a/pkg/build/options.go
+++ b/pkg/build/options.go
@ -153,6 +153,14 @@ func WithAnnotation(k, v string) Option {
 	}
 }

+// WithUser is a functional option for overriding the user in the image config.
+func WithUser(user string) Option {
+	return func(gbo *gobuildOpener) error {
+		gbo.user = user
+		return nil
+	}
+}
+
 // withBuilder is a functional option for overriding the way go binaries
 // are built.
 func withBuilder(b builder) Option {
--- a/pkg/commands/options/build.go
+++ b/pkg/commands/options/build.go
@ -66,6 +66,7 @@ type BuildOptions struct {
 	Platforms            []string
 	Labels               []string
 	Annotations          []string
+	User                 string
 	Debug                bool
 	// UserAgent enables overriding the default value of the `User-Agent` HTTP
 	// request header used when retrieving the base image.
@ -98,6 +99,8 @@ func AddBuildOptions(cmd *cobra.Command, bo *BuildOptions) {
 		"Which labels (key=value[,key=value]) to add to the image.")
 	cmd.Flags().StringSliceVar(&bo.Annotations, "image-annotation", []string{},
 		"Which annotations (key=value[,key=value]) to add to the OCI manifest.")
+	cmd.Flags().StringVar(&bo.User, "image-user", "",
+		"The default user the image should be run as.")
 	cmd.Flags().BoolVar(&bo.Debug, "debug", bo.Debug,
 		"Include Delve debugger into image and wrap around ko-app. This debugger will listen to port 40000.")
 	bo.Trimpath = true
--- a/pkg/commands/resolver.go
+++ b/pkg/commands/resolver.go
@ -127,6 +127,10 @@ func gobuildOptions(bo *options.BuildOptions) ([]build.Option, error) {
 		opts = append(opts, build.WithAnnotation(k, v))
 	}

+	if bo.User != "" {
+		opts = append(opts, build.WithUser(bo.User))
+	}
+
 	if bo.BuildConfigs != nil {
 		opts = append(opts, build.WithConfig(bo.BuildConfigs))
 	}