Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow --secret flag to be set via an environment variable #3076

Open
bentekkie opened this issue Mar 21, 2025 · 6 comments
Open

Allow --secret flag to be set via an environment variable #3076

bentekkie opened this issue Mar 21, 2025 · 6 comments
Labels
kind/enhancement New feature or request

Comments

@bentekkie
Copy link

Description

I would like to be able to set the --secret flag via an environment variable so that I can have some secrets always automatically specified for my docker build commands.
@thaJeztah
Copy link
Member

This probably relates to buildx, which is the cli-plugin that's executed when running docker build

Let me transfer this ticket

@thaJeztah thaJeztah transferred this issue from docker/cli Mar 21, 2025
@thaJeztah
Copy link
Member

From a quick look, I wonder if this would be more something to handle through docker buildx bake (and a bakefile to set defaults to pass)

@bentekkie
Copy link
Author

Ideally I would prefer this to work OOTB with docker build so that for example I could run an arbitrary script that might have docker build commands and have the secret provided to all of the builds.
I think this could also be implemented at the BuildKit instance level to have globally loaded secrets in the BuildKit instance but I think that is a much larger and more complicated change

@bentekkie
Copy link
Author

Alternatively is there any way for a BuildKit frontend to add secrets to the secret store for a build session?
I know that retreiving the value of secrets in the frontend would be insecure but it would be handy if a frontend could inject secrets into the secret store. The usecase would be to inject files into RUN commands (like CA certificates) that one doesnt want to persist into the final image

@thompson-shaun thompson-shaun added the kind/enhancement New feature or request label Mar 22, 2025
@tonistiigi
Copy link
Member

You can load secret value from env, but you still need to add flag for this loading to happen via --secret or Bake definition. I guess "auto-load" could be possible for some very specific env prefix but probably don't want these exception cases to confuse users.

so that for example I could run an arbitrary script that might have

Technically, we have automatic --load per builder that could maybe be extended to all properties (eg. for bake where there is already logic for merging definition). I think we need more use cases, though.

I know that retreiving the value of secrets in the frontend would be insecure but it would be handy if a frontend could inject secrets into the secret store.

This is also technically possible, but would need to understand use-case more. We do want secrets to be used "for secrets", not for some side effect that happens when loading secrets. Otherwise, it should probably be adding some new construct in buildkit.

@bentekkie
Copy link
Author

For my usecase I was actually able to solve this with a wrapper around the runc binary that injected the required environment variables and secret files that I needed.
Ideally it would be nice if BuildKit had support for injecting instance wide secrets like this but for now this workaround works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tonistiigi @thaJeztah @bentekkie @thompson-shaun