-
Notifications
You must be signed in to change notification settings - Fork 204
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(build, docker, buildah, dockerfile): add secrets support (#6429)
Signed-off-by: Yaroslav Pershin <62902094+iapershin@users.noreply.github.com>
- Loading branch information
Showing
21 changed files
with
295 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
package config | ||
|
||
import ( | ||
"fmt" | ||
) | ||
|
||
type rawSecret struct { | ||
Id string `yaml:"id"` | ||
Env string `yaml:"env,omitempty"` | ||
Src string `yaml:"src,omitempty"` | ||
PlainValue string `yaml:"value,omitempty"` | ||
|
||
doc *doc `yaml:"-"` // parent | ||
|
||
UnsupportedAttributes map[string]interface{} `yaml:",inline"` | ||
} | ||
|
||
func (s *rawSecret) UnmarshalYAML(unmarshal func(interface{}) error) error { | ||
parentStack.Push(s) | ||
type plain rawSecret | ||
err := unmarshal((*plain)(s)) | ||
parentStack.Pop() | ||
if err != nil { | ||
return fmt.Errorf("secrets parsing error: %w", err) | ||
} | ||
|
||
if err := s.validate(); err != nil { | ||
return fmt.Errorf("secrets validation error: %w", err) | ||
} | ||
|
||
if err := checkOverflow(s.UnsupportedAttributes, nil, s.doc); err != nil { | ||
return fmt.Errorf("secrets validation error: %w", err) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func (s *rawSecret) validate() error { | ||
if !oneOrNone([]bool{s.Env != "", s.Src != "", s.PlainValue != ""}) { | ||
return newDetailedConfigError("specify only env or src or value in secret", s, s.doc) | ||
} | ||
return nil | ||
} | ||
|
||
func (s *rawSecret) toDirective() (Secret, error) { | ||
switch { | ||
case s.Env != "": | ||
return newSecretFromEnv(s) | ||
case s.Src != "": | ||
return newSecretFromSrc(s) | ||
case s.PlainValue != "": | ||
return newSecretFromPlainValue(s) | ||
default: | ||
return nil, newDetailedConfigError("secret type is not supported", s, s.doc) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
package config | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
"os" | ||
"path/filepath" | ||
"time" | ||
) | ||
|
||
type Secret interface { | ||
GetSecretStringArg() (string, error) | ||
GetSecretId() string | ||
} | ||
|
||
type SecretFromEnv struct { | ||
Id string | ||
Value string | ||
} | ||
|
||
type SecretFromSrc struct { | ||
Id string | ||
Value string | ||
} | ||
|
||
type SecretFromPlainValue struct { | ||
Id string | ||
Value string | ||
} | ||
|
||
func newSecretFromEnv(s *rawSecret) (*SecretFromEnv, error) { | ||
if s.Id == "" { | ||
s.Id = s.Env | ||
} | ||
return &SecretFromEnv{ | ||
Id: s.Id, | ||
Value: s.Env, | ||
}, nil | ||
} | ||
|
||
func newSecretFromSrc(s *rawSecret) (*SecretFromSrc, error) { | ||
if s.Id == "" { | ||
s.Id = filepath.Base(s.Src) | ||
} | ||
return &SecretFromSrc{ | ||
Id: s.Id, | ||
Value: s.Src, | ||
}, nil | ||
} | ||
|
||
func newSecretFromPlainValue(s *rawSecret) (*SecretFromPlainValue, error) { | ||
if s.Id == "" { | ||
return nil, fmt.Errorf("type value should be used with id parameter") | ||
} | ||
return &SecretFromPlainValue{ | ||
Id: s.Id, | ||
Value: s.PlainValue, | ||
}, nil | ||
} | ||
|
||
func (s *SecretFromEnv) GetSecretStringArg() (string, error) { | ||
if _, exists := os.LookupEnv(s.Value); !exists { | ||
return "", fmt.Errorf("specified env variable doesn't exist") | ||
} | ||
return fmt.Sprintf("id=%s,env=%s", s.Id, s.Value), nil | ||
} | ||
|
||
func (s *SecretFromSrc) GetSecretStringArg() (string, error) { | ||
if _, err := os.Stat(s.Value); errors.Is(err, os.ErrNotExist) { | ||
return "", fmt.Errorf("path %s doesn't exist", s.Value) | ||
} | ||
return fmt.Sprintf("id=%s,src=%s", s.Id, s.Value), nil | ||
} | ||
|
||
func (s *SecretFromPlainValue) GetSecretStringArg() (string, error) { | ||
secret, err := s.setPlainValueAsEnv() | ||
if err != nil { | ||
return "", err | ||
} | ||
return secret.GetSecretStringArg() | ||
} | ||
|
||
func (s *SecretFromPlainValue) setPlainValueAsEnv() (*SecretFromEnv, error) { | ||
t := time.Now().Unix() | ||
envKey := fmt.Sprintf("tmpbuild%d_%s", t, s.Id) // generate unique value | ||
if _, e := os.LookupEnv(envKey); e { | ||
return nil, fmt.Errorf("can't set secret %s: id is not unique", s.Id) // should never be here | ||
} | ||
|
||
err := os.Setenv(envKey, s.Value) | ||
if err != nil { | ||
return nil, fmt.Errorf("can't set value") | ||
} | ||
|
||
return &SecretFromEnv{ | ||
Id: s.Id, | ||
Value: envKey, | ||
}, nil | ||
} | ||
|
||
func (s *SecretFromEnv) GetSecretId() string { | ||
return s.Id | ||
} | ||
|
||
func (s *SecretFromSrc) GetSecretId() string { | ||
return s.Id | ||
} | ||
|
||
func (s *SecretFromPlainValue) GetSecretId() string { | ||
return s.Id | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.