docker
/
compose
mirror of https://github.com/docker/compose.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add support of environment secret during build step 

Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>
This commit is contained in:
Guillaume Lours 2022-07-01 10:41:48 +02:00
parent ff2bf78570
commit 4debb133a7
No known key found for this signature in database
4 changed files with 42 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
pkg/compose/build.go
View File

@ -256,23 +256,11 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
} }
if len(service.Build.Secrets) > 0 { if len(service.Build.Secrets) > 0 {
var sources []secretsprovider.Source secretsProvider, err := addSecretsConfig(project, service, sessionConfig)
for _, secret := range service.Build.Secrets {
config := project.Secrets[secret.Source]
if config.File == "" {
return build.Options{}, fmt.Errorf("build.secrets only supports file-based secrets: %q", secret.Source)
}
sources = append(sources, secretsprovider.Source{
ID: secret.Source,
FilePath: config.File,
})
}
store, err := secretsprovider.NewStore(sources)
if err != nil { if err != nil {
return build.Options{}, err return build.Options{}, err
} }
p := secretsprovider.NewSecretProvider(store) sessionConfig = append(sessionConfig, secretsProvider)
sessionConfig = append(sessionConfig, p)
} }
if len(service.Build.Tags) > 0 { if len(service.Build.Tags) > 0 {
@ -341,3 +329,30 @@ func sshAgentProvider(sshKeys types.SSHConfig) (session.Attachable, error) {
} }
return sshprovider.NewSSHAgentProvider(sshConfig) return sshprovider.NewSSHAgentProvider(sshConfig)
} }
func addSecretsConfig(project *types.Project, service types.ServiceConfig, sessionConfig []session.Attachable) (session.Attachable, error) {
var sources []secretsprovider.Source
for _, secret := range service.Build.Secrets {
config := project.Secrets[secret.Source]
switch {
case config.File != "":
sources = append(sources, secretsprovider.Source{
ID: secret.Source,
FilePath: config.File,
})
case config.Environment != "":
sources = append(sources, secretsprovider.Source{
ID: secret.Source,
Env: config.Environment,
})
default:
return nil, fmt.Errorf("build.secrets only supports environment or file-based secrets: %q", secret.Source)
}
}
store, err := secretsprovider.NewStore(sources)
if err != nil {
return nil, err
}
return secretsprovider.NewSecretProvider(store), nil
}

7
pkg/e2e/build_test.go
View File

@ -176,7 +176,12 @@ func TestBuildSecrets(t *testing.T) {
// ensure local test run does not reuse previously build image // ensure local test run does not reuse previously build image
c.RunDockerOrExitError(t, "rmi", "build-test-secret") c.RunDockerOrExitError(t, "rmi", "build-test-secret")
res := c.RunDockerComposeCmd(t, "--project-directory", "fixtures/build-test/secrets", "build") cmd := c.NewDockerComposeCmd(t, "--project-directory", "fixtures/build-test/secrets", "build")
res := icmd.RunCmd(cmd, func(cmd *icmd.Cmd) {
cmd.Env = append(cmd.Env, "SOME_SECRET=bar")
})
res.Assert(t, icmd.Success) res.Assert(t, icmd.Success)
}) })
} }

4
pkg/e2e/fixtures/build-test/secrets/Dockerfile
View File

@ -20,3 +20,7 @@ FROM alpine
RUN echo "foo" > /tmp/expected RUN echo "foo" > /tmp/expected
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret > /tmp/actual RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret > /tmp/actual
RUN diff /tmp/expected /tmp/actual RUN diff /tmp/expected /tmp/actual
RUN echo "bar" > /tmp/expected
RUN --mount=type=secret,id=envsecret cat /run/secrets/envsecret > tmp/actual
RUN diff --ignore-all-space /tmp/expected /tmp/actual

3
pkg/e2e/fixtures/build-test/secrets/compose.yml
View File

@ -5,7 +5,10 @@ services:
context: . context: .
secrets: secrets:
- mysecret - mysecret
- envsecret
secrets: secrets:
mysecret: mysecret:
file: ./secret.txt file: ./secret.txt
envsecret:
environment: SOME_SECRET