Skip to content

bake: support compose build secrets#1069

Merged
crazy-max merged 2 commits intodocker:masterfrom
crazy-max:compose-build-secrets
Apr 14, 2022
Merged

bake: support compose build secrets#1069
crazy-max merged 2 commits intodocker:masterfrom
crazy-max:compose-build-secrets

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Apr 13, 2022

fixes #1060

Adds support for compose build secrets with bake. Needs to vendor compose-go compose-spec/compose-go@v1.2.1...v1.2.4. See spec https://github.com/compose-spec/compose-spec/blob/master/build.md#secrets.

We can keep the x-bake secret field for now imo.

Also env secret type is supported with the following format:

services:
  webapp:
    build:
      context: .
      secrets:
        - ENV_TOKEN

secrets:
  ENV_TOKEN: {}

I will review our documentation about bake and create dedicated guides for compose and hcl formats for this kind of use cases in a follow-up.

cc @glours @ciaranmcnulty

@crazy-max
update github.com/compose-spec/compose-go to v1.2.4
3a90f99 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the compose-build-secrets branch from 4ded8e6 to 52d4cb9 Compare April 13, 2022 15:07
glours
glours approved these changes Apr 13, 2022
View reviewed changes
Copy link
Contributor

@glours glours left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tonistiigi
tonistiigi reviewed Apr 13, 2022
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess in the future we can discuss how this could be changed to a typed structure. But hacky to encode csv so it can be parsed again. (There is also a plan to allow defining the secret keys in json/hcl directly instead of csv).

bake/compose.go Outdated
func composeToBuildkitSecret(inp compose.ServiceSecretConfig, projectSecrets compose.Secrets) (string, error) {
psecret := projectSecrets[inp.Source]
if psecret.External.External {
return "", fmt.Errorf("unsupported external secret %s", psecret.Name)
Copy link
Member

@tonistiigi tonistiigi Apr 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

errors.Errorf

bake/compose.go Outdated

// composeToBuildkitSecret converts secret from compose format to buildkit's
// csv format.
func composeToBuildkitSecret(inp compose.ServiceSecretConfig, projectSecrets compose.Secrets) (string, error) {
Copy link
Member

@tonistiigi tonistiigi Apr 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why doesn't this just take psecret as parameter?

@crazy-max crazy-max force-pushed the compose-build-secrets branch from 52d4cb9 to f9f763a Compare April 13, 2022 23:14
tonistiigi
tonistiigi reviewed Apr 13, 2022
View reviewed changes
bake/compose.go Outdated
if psecret.File != "" {
bkattrs = append(bkattrs, "src="+psecret.File)
}
if inp.Target != "" {
Copy link
Member

@tonistiigi tonistiigi Apr 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are these things: targets, uid, gid, mode? These can't be set by the flags but are determined by the definition in Dockerfile.

Copy link
Member Author

@crazy-max crazy-max Apr 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh my bad I confused the secret mount in the Dockerfile syntax with the secret flag!

@crazy-max
Copy link
Member Author

crazy-max commented Apr 13, 2022

I guess in the future we can discuss how this could be changed to a typed structure. But hacky to encode csv so it can be parsed again. (There is also a plan to allow defining the secret keys in json/hcl directly instead of csv).

Yes typed structure would be nice and also expose a contract in BuildKit so we don't have hardcoded attributes that could potentially drift.

@crazy-max
bake: support compose build secrets
c0f8a83 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the compose-build-secrets branch from f9f763a to c0f8a83 Compare April 13, 2022 23:28
@crazy-max
Copy link
Member Author

crazy-max commented Apr 13, 2022

What are these things: targets, uid, gid, mode? These can't be set by the flags but are determined by the definition in Dockerfile.

@glours Looking at this, adding these fields in the compose-spec might have been out of scope for buildx.

@crazy-max crazy-max merged commit a2d5bc7 into docker:master Apr 14, 2022
@crazy-max crazy-max deleted the compose-build-secrets branch April 14, 2022 10:06
@crazy-max crazy-max added this to the v0.9.0 milestone Jun 5, 2022
@sumnerwarren sumnerwarren mentioned this pull request May 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

+1 more reviewer

@glours glours glours approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v0.9.0

Development

Successfully merging this pull request may close these issues.

Support build.secrets in yaml

3 participants

@crazy-max @tonistiigi @glours