New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Build Secrets #28079
WIP: Build Secrets #28079
Conversation
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> secrets: vendor swarmkit Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> wip: use tmpfs for swarm secrets Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> wip: inject secrets from swarm secret store Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> secrets: use secret names in cli for service create Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> switch to use mounts instead of volumes Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> vendor: use ehazlett swarmkit Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> secrets: finish secret update Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
- fix lint issues - use errors pkg for wrapping errors - cleanup on error when setting up secrets mount - fix erroneous import - remove unneeded switch for secret reference mode - return single mount for secrets instead of slice Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
- use /secrets for swarm secret create route - do not specify omitempty for secret and secret reference - simplify lookup for secret ids - do not use pointer for secret grpc conversion Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
- add nosuid and noexec to tmpfs Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> docs: minor update to service create usage Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
- use Filters instead of Filter for secret list - UID, GID -> string - getSecrets -> getSecretsByName - updated test case for secrets with better source - use golang.org/x/context instead of context - for grpc conversion allocate with make - check for nil with task.Spec.GetContainer() Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Something is not quite in the current code :
Other than that, design LGTM 🐸 for me. I don't think we should invalidate the cache automatically with |
Let me think; even if we would detect changes to the secrets, it would always invalidate the entire cache, because we don't know which layers (possibly) access the secrets, so that would be similar to Still, it would be good if we could detect changes (as I think users would expect a change to result in a cache bust), but only of course if that doesn't lead to security issues (was thinking of a hash of the encrypted secrets?) ping @NathanMcCauley @cyli @diogomonica any thoughts? |
@vdemeester @justincormack I should have added WIP. This was to get feedback on the idea. I'll add tests.
This creates it in |
Should we even allow secret modifications? Why not have it be read-only and not worry about it? |
Yes I need to remount to |
@thaJeztah Possibly if we wanted to do detect changes, salting + stretching the secret might be better than a hash? (e.g. PBKDF2 or scrypt, as opposed to SHA#) I'm not sure about automatically invalidating the cache - I can see arguments for both cases. |
I don't think invalidation is necessarily going to be hard here. Since secrets are effectively immutable and live within Docker, not just some random file, we can use the name+create time of the secret hashed in the build history even. Or if not timestamp, some randomly generated token that we can compare with. |
@cpuguy83 these are build time secrets that come from client side. for example this could be an ssh key that is used for git that could change, or a password for a service, etc. |
This would be very useful for us, thanks! Two small things:
|
I think secrets are orthogonal to builds, and a secret changing doesn't mean changes to the content of the layer itself. Therefore, I think we shouldn't invalidate, and if people so desire, they can use the Additionally, we can always change this to invalidate the cache later (worse case scenario, builds will be less efficient), and we can really never take it back if we ship it with invalidation and people start depending on the cache-busting side-effects. |
I agree. If they really need to rebuild there is --no-cache. |
@diogomonica good point. let's keep it that way and allow the user to decide on invalidation. |
Care to elaborate why this got closed? |
@ehazlett would better elaborate, but I think it's mainly to be concentrated on secrets in services for 1.13 (and make it right) and come back later on that one. Let say its a temporary close to help us focus on 1.13 for now 👼 |
This is very outdated and not targeted for 1.13. We can re-open if we decide to add this. |
Sooo? Those service secrets don't solve the problem of build secrets, do they? |
Since there was interest, I've rebased and opened a PR (apparently GH won't let me re-open this since I had to rebase and force push) #30637 |
Hi, any progress on this? Not being able to specify build-time secrets (like GitHub keys or tokens) is holding us back from using Docker. I feel like we've been waiting over a full year for this ... Any ETA on when this will be available? I don't mean to pile on, and we certainly appreciate all of your hard work in making Docker free for us to use, but unless we can securely pull code from a private github repo into our Docker build, I don't see how we can use Docker? Thanks! :-) |
@joelpresence [WIP] Build Secrets #30637 In the meantime, you have 2 possibilities:
|
RE-OPENED in #30637
This enables build time secrets using the
--build-secret
flag.Similar to #27794 this creates a tmpfs during each run of the build and exposes the specified "secrets" into the container. These are not committed to the image.
Here is an example Dockerfile:
Given the following command:
This will expose the key from
~/git-key
as/run/secrets/git-key
. This can be used however needed during build by the correspondingRUN
directives.Here is the example output:
Depends on: #27794 I re-used some structs from that PR to reduce duplication.