feat(build, buildah, dockerfile, staged): add secrets support (#6454)

iapershin · web-flow · commit 051c4e46214c · 2024-12-02T23:37:27.000Z
Signed-off-by: Yaroslav Pershin &lt;62902094+iapershin@users.noreply.github.com&gt;
diff --git a/pkg/build/image/dockerfile.go b/pkg/build/image/dockerfile.go
@@ -219,7 +219,7 @@ func mapDockerfileToImagesSets(ctx context.Context, cfg *dockerfile.Dockerfile,
 			case *dockerfile.DockerfileStageInstruction[*instructions.OnbuildCommand]:
 				stg = stage_instruction.NewOnBuild(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
 			case *dockerfile.DockerfileStageInstruction[*instructions.RunCommand]:
-				stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
+				stg = stage_instruction.NewRun(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions, dockerfileImageConfig.Secrets)
 			case *dockerfile.DockerfileStageInstruction[*instructions.ShellCommand]:
 				stg = stage_instruction.NewShell(typedInstr, dockerfileImageConfig.Dependencies, !isFirstStage, &baseStageOptions)
 			case *dockerfile.DockerfileStageInstruction[*instructions.StopSignalCommand]:
diff --git a/pkg/build/stage/instruction/run.go b/pkg/build/stage/instruction/run.go
@@ -19,8 +19,8 @@ type Run struct {
 	*Base[*instructions.RunCommand, *backend_instruction.Run]
 }
 
-func NewRun(i *dockerfile.DockerfileStageInstruction[*instructions.RunCommand], dependencies []*config.Dependency, hasPrevStage bool, opts *stage.BaseStageOptions) *Run {
-	return &Run{Base: NewBase(i, backend_instruction.NewRun(*i.Data, nil), dependencies, hasPrevStage, opts)}
+func NewRun(i *dockerfile.DockerfileStageInstruction[*instructions.RunCommand], dependencies []*config.Dependency, hasPrevStage bool, opts *stage.BaseStageOptions, secrets []string) *Run {
+	return &Run{Base: NewBase(i, backend_instruction.NewRun(*i.Data, nil, secrets), dependencies, hasPrevStage, opts)}
 }
 
 func (stg *Run) ExpandDependencies(ctx context.Context, c stage.Conveyor, baseEnv map[string]string) error {
diff --git a/pkg/buildah/common.go b/pkg/buildah/common.go
@@ -78,6 +78,7 @@ type RunCommandOpts struct {
 	WorkingDir       string
 	User             string
 	Envs             []string
+	Secrets          []string
 	// Mounts as allowed to be passed from command line.
 	GlobalMounts []*specs.Mount
 	// Mounts as allowed in Dockerfile RUN --mount option. Have more restrictions than GlobalMounts (e.g. Source of bind-mount can't be outside of ContextDir or container root).
diff --git a/pkg/buildah/native_linux.go b/pkg/buildah/native_linux.go
@@ -436,6 +436,11 @@ func (b *NativeBuildah) RunCommand(ctx context.Context, container string, comman
 		return err
 	}
 
+	buildahSecrets, err := parse.Secrets(opts.Secrets)
+	if err != nil {
+		return fmt.Errorf("unable to parse secrets: %w", err)
+	}
+
 	runOpts := buildah.RunOptions{
 		Env:              opts.Envs,
 		ContextDir:       contextDir,
@@ -453,8 +458,7 @@ func (b *NativeBuildah) RunCommand(ctx context.Context, container string, comman
 		Cmd:              []string{},
 		Mounts:           globalMounts,
 		RunMounts:        runMounts,
-		// TODO(ilya-lesikov):
-		Secrets: nil,
+		Secrets:          buildahSecrets,
 		// TODO(ilya-lesikov):
 		SSHSources: nil,
 	}
diff --git a/pkg/config/raw_image_from_dockerfile.go b/pkg/config/raw_image_from_dockerfile.go
@@ -143,10 +143,6 @@ func (c *rawImageFromDockerfile) toImageFromDockerfileDirective(giterminismManag
 	image.platform = append([]string{}, c.Platform...)
 	image.raw = c
 
-	if len(c.RawSecrets) > 0 && image.Staged {
-		return nil, fmt.Errorf("secrets are not supported for staged build yet")
-	}
-
 	secrets, err := GetValidatedSecrets(c.RawSecrets, giterminismManager, c.doc)
 	if err != nil {
 		return nil, err
diff --git a/pkg/container_backend/instruction/run.go b/pkg/container_backend/instruction/run.go
@@ -14,11 +14,12 @@ import (
 
 type Run struct {
 	instructions.RunCommand
-	Envs []string
+	Envs    []string
+	Secrets []string
 }
 
-func NewRun(i instructions.RunCommand, envs []string) *Run {
-	return &Run{RunCommand: i, Envs: envs}
+func NewRun(i instructions.RunCommand, envs, secrets []string) *Run {
+	return &Run{RunCommand: i, Envs: envs, Secrets: secrets}
 }
 
 func (i *Run) UsesBuildContext() bool {
@@ -68,6 +69,7 @@ func (i *Run) Apply(ctx context.Context, containerName string, drv buildah.Build
 		NetworkType:     i.GetNetwork(),
 		RunMounts:       i.GetMounts(),
 		Envs:            i.Envs,
+		Secrets:         i.Secrets,
 	}); err != nil {
 		return fmt.Errorf("error running command %v for container %s: %w", i.CmdLine, containerName, err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,8 @@ type Run struct {`
`19`	`19`	`Base[instructions.RunCommand, *backend_instruction.Run]`
`20`	`20`	`}`
`21`	`21`
`22`		`-func NewRun(i dockerfile.DockerfileStageInstruction[instructions.RunCommand], dependencies []config.Dependency, hasPrevStage bool, opts stage.BaseStageOptions) *Run {`
`23`		`- return &Run{Base: NewBase(i, backend_instruction.NewRun(*i.Data, nil), dependencies, hasPrevStage, opts)}`
	`22`	`+func NewRun(i dockerfile.DockerfileStageInstruction[instructions.RunCommand], dependencies []config.Dependency, hasPrevStage bool, opts stage.BaseStageOptions, secrets []string) *Run {`
	`23`	`+ return &Run{Base: NewBase(i, backend_instruction.NewRun(*i.Data, nil, secrets), dependencies, hasPrevStage, opts)}`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`func (stg *Run) ExpandDependencies(ctx context.Context, c stage.Conveyor, baseEnv map[string]string) error {`