frontend: allow mounting secret environment variables#5215
frontend: allow mounting secret environment variables#5215tonistiigi merged 1 commit intomoby:masterfrom
Conversation
Instead of RUN --mount=type=secret,id=mysecret,env=MY_SECRETMight be confusing though |
a-palchikov
force-pushed
the
dockerfile/secretasenv
branch
from
20c94fb to
85c9af4
Compare
Yes, it might be confusing given that regular secret mounts use the Ultimately, both |
Wondering; would there be use-cases where both a mount ( In that case, target could continue to be used to specify the name of the mounted secret, and That would likely mean that |
Hmm, that's a very good point. I don't think it's possible in LLB as currently implemented: Lines 391 to 410 in 979542e but I can take a stab at it. |
Oh! Yes, I'm not super familiar with the BuildKit internals. For clarity; I'm not a maintainer for BuildKit, so mostly commenting as a user interested in this feature, so happy to hear from BuildKit maintainers on my suggestions as well 😅 |
Yes I think that would be fine to have both but would need LLB changes as stated by @a-palchikov. Not for this PR but we should also consider having a build check that warns if a secret env overrides ones from |
a-palchikov
force-pushed
the
dockerfile/secretasenv
branch
from
85c9af4 to
d66f9c9
Compare
| }) | ||
| } | ||
|
|
||
| // SecretAsEnvName defines if the secret should be added as an environment variable |
There was a problem hiding this comment.
I kept the original functional option (SecretAsEnv) intact to keep backwards compatibility as I think it might already be used.
a-palchikov
force-pushed
the
dockerfile/secretasenv
branch
4 times, most recently
from
2b083b3 to
1e498a4
Compare
| } | ||
| peo.Mounts = append(peo.Mounts, pm) | ||
| } | ||
| pm := &pb.Mount{ |
There was a problem hiding this comment.
This seems to be a behavior change of creating a secret mount when SecretAsEnv was set.
If there is a need for mounting the same secret both as file and env (can't think of one) then it should be optional.
|
|
||
| dockerfile := []byte(` | ||
| FROM busybox | ||
| RUN --mount=type=secret,id=mysecret,env [ "$mysecret" == "pw" ] && [ -f /run/secrets/mysecret ] || false |
There was a problem hiding this comment.
I'm not sure if this is needed in Dockerfile syntax. Would be more clearer if env always has a string value.
a-palchikov
force-pushed
the
dockerfile/secretasenv
branch
from
1e498a4 to
0fc5f16
Compare
|
@tonistiigi Updated with the following semantics: A secret is defined with a tuple (id, target) which can be aliased as (source, destination) using the following format: RUN --mount=type=secret,id=FOO,target=/path/to/secret ...Existing secret rules:
Adding RUN --mount=type=secret,id=FOO,env=FOOwith the following semantics:
|
|
I think you can squash the commits as don't think they are useful on their own. If you want, you can leave the client-llb and dockerfile changes separate. |
This adds the syntax to Dockerfile frontend. I purposedly chose to use a simple format for this as it's likely going to be debated. As implemented, the following format is supported: ``` RUN --mount=type=secret,id=MYSECRET,env ``` or, more explicitly: ``` RUN --mount=type=secret,id=MYSECRET,env=true ``` will mount the secret with id MYSECRET as a new environment variable with the same name. Using 'target', it's possible to create a different environment variable: ``` RUN --mount=type=secret,id=mysecret,target=MY_SECRET,env ``` will mount 'mysecret' secret as MY_SECRET environment variable. Any suggestions on making it more ergonomic are welcome. Signed-off-by: a-palchikov <[email protected]>
a-palchikov
force-pushed
the
dockerfile/secretasenv
branch
from
0fc5f16 to
96f746b
Compare
6 participants
Implements frontend side of #2122.
This adds the syntax to Dockerfile frontend.
I purposefully chose to use a simple format for this as it's likely going to be debated. As implemented, the following format is supported:
RUN --mount=type=secret,id=MYSECRET,envor, more explicitly:
RUN --mount=type=secret,id=mysecret,env=MYSECRETwill mount the secret with id
mysecretas a new environment variable with the nameMYSECRET).Either way, the secret will be mounted as a file (existing behavior).
Note, that this already implements a suggestion from the PR comments.
Any suggestions on making it even more ergonomic or straightforward are welcome.