Skip to content

Commit

Permalink
feat(build, buildah, dockerfile, staged): add secrets support (#6454)
Browse files Browse the repository at this point in the history
Signed-off-by: Yaroslav Pershin <62902094+iapershin@users.noreply.github.com>
  • Loading branch information
iapershin authored Dec 2, 2024
1 parent a6b2530 commit 051c4e4
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 12 deletions.
2 changes: 1 addition & 1 deletion pkg/build/image/dockerfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,7 @@ func mapDockerfileToImagesSets(ctx context.Context, cfg *dockerfile.Dockerfile,
case *dockerfile.DockerfileStageInstruction[*instructions.OnbuildCommand]:
stg = stage_instruction.NewOnBuild(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
case *dockerfile.DockerfileStageInstruction[*instructions.RunCommand]:
stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, dockerfileImageConfig.Secrets)
case *dockerfile.DockerfileStageInstruction[*instructions.ShellCommand]:
stg = stage_instruction.NewShell(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
case *dockerfile.DockerfileStageInstruction[*instructions.StopSignalCommand]:
Expand Down
4 changes: 2 additions & 2 deletions pkg/build/stage/instruction/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ type Run struct {
*Base[*instructions.RunCommand, *backend_instruction.Run]
}

func NewRun(i *dockerfile.DockerfileStageInstruction[*instructions.RunCommand], dependencies []*config.Dependency, hasPrevStage bool, opts *stage.BaseStageOptions) *Run {
return &Run{Base: NewBase(i, backend_instruction.NewRun(*i.Data, nil), dependencies, hasPrevStage, opts)}
func NewRun(i *dockerfile.DockerfileStageInstruction[*instructions.RunCommand], dependencies []*config.Dependency, hasPrevStage bool, opts *stage.BaseStageOptions, secrets []string) *Run {
return &Run{Base: NewBase(i, backend_instruction.NewRun(*i.Data, nil, secrets), dependencies, hasPrevStage, opts)}
}

func (stg *Run) ExpandDependencies(ctx context.Context, c stage.Conveyor, baseEnv map[string]string) error {
Expand Down
1 change: 1 addition & 0 deletions pkg/buildah/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ type RunCommandOpts struct {
WorkingDir string
User string
Envs []string
Secrets []string
// Mounts as allowed to be passed from command line.
GlobalMounts []*specs.Mount
// Mounts as allowed in Dockerfile RUN --mount option. Have more restrictions than GlobalMounts (e.g. Source of bind-mount can't be outside of ContextDir or container root).
Expand Down
8 changes: 6 additions & 2 deletions pkg/buildah/native_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,11 @@ func (b *NativeBuildah) RunCommand(ctx context.Context, container string, comman
return err
}

buildahSecrets, err := parse.Secrets(opts.Secrets)
if err != nil {
return fmt.Errorf("unable to parse secrets: %w", err)
}

runOpts := buildah.RunOptions{
Env: opts.Envs,
ContextDir: contextDir,
Expand All @@ -453,8 +458,7 @@ func (b *NativeBuildah) RunCommand(ctx context.Context, container string, comman
Cmd: []string{},
Mounts: globalMounts,
RunMounts: runMounts,
// TODO(ilya-lesikov):
Secrets: nil,
Secrets: buildahSecrets,
// TODO(ilya-lesikov):
SSHSources: nil,
}
Expand Down
4 changes: 0 additions & 4 deletions pkg/config/raw_image_from_dockerfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,10 +143,6 @@ func (c *rawImageFromDockerfile) toImageFromDockerfileDirective(giterminismManag
image.platform = append([]string{}, c.Platform...)
image.raw = c

if len(c.RawSecrets) > 0 && image.Staged {
return nil, fmt.Errorf("secrets are not supported for staged build yet")
}

secrets, err := GetValidatedSecrets(c.RawSecrets, giterminismManager, c.doc)
if err != nil {
return nil, err
Expand Down
8 changes: 5 additions & 3 deletions pkg/container_backend/instruction/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ import (

type Run struct {
instructions.RunCommand
Envs []string
Envs []string
Secrets []string
}

func NewRun(i instructions.RunCommand, envs []string) *Run {
return &Run{RunCommand: i, Envs: envs}
func NewRun(i instructions.RunCommand, envs, secrets []string) *Run {
return &Run{RunCommand: i, Envs: envs, Secrets: secrets}
}

func (i *Run) UsesBuildContext() bool {
Expand Down Expand Up @@ -68,6 +69,7 @@ func (i *Run) Apply(ctx context.Context, containerName string, drv buildah.Build
NetworkType: i.GetNetwork(),
RunMounts: i.GetMounts(),
Envs: i.Envs,
Secrets: i.Secrets,
}); err != nil {
return fmt.Errorf("error running command %v for container %s: %w", i.CmdLine, containerName, err)
}
Expand Down

0 comments on commit 051c4e4

Please sign in to comment.