Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bake: support compose build secrets #1069

Merged
merged 2 commits into from
Apr 14, 2022
Merged

bake: support compose build secrets #1069

merged 2 commits into from
Apr 14, 2022

Conversation

crazy-max
Copy link
Member

fixes #1060

Adds support for compose build secrets with bake. Needs to vendor compose-go compose-spec/compose-go@v1.2.1...v1.2.4. See spec https://github.com/compose-spec/compose-spec/blob/master/build.md#secrets.

We can keep the x-bake secret field for now imo.

Also env secret type is supported with the following format:

services:
  webapp:
    build:
      context: .
      secrets:
        - ENV_TOKEN

secrets:
  ENV_TOKEN: {}

I will review our documentation about bake and create dedicated guides for compose and hcl formats for this kind of use cases in a follow-up.

cc @glours @ciaranmcnulty

@crazy-max
update github.com/compose-spec/compose-go to v1.2.4
3a90f99 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
glours
glours approved these changes Apr 13, 2022
View reviewed changes
Copy link
Contributor

@glours glours left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tonistiigi
tonistiigi reviewed Apr 13, 2022
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess in the future we can discuss how this could be changed to a typed structure. But hacky to encode csv so it can be parsed again. (There is also a plan to allow defining the secret keys in json/hcl directly instead of csv).

bake/compose.go Outdated
func composeToBuildkitSecret(inp compose.ServiceSecretConfig, projectSecrets compose.Secrets) (string, error) {
psecret := projectSecrets[inp.Source]
if psecret.External.External {
return "", fmt.Errorf("unsupported external secret %s", psecret.Name)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

errors.Errorf

bake/compose.go Outdated

// composeToBuildkitSecret converts secret from compose format to buildkit's
// csv format.
func composeToBuildkitSecret(inp compose.ServiceSecretConfig, projectSecrets compose.Secrets) (string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why doesn't this just take psecret as parameter?

tonistiigi
tonistiigi reviewed Apr 13, 2022
View reviewed changes
bake/compose.go Outdated
if psecret.File != "" {
bkattrs = append(bkattrs, "src="+psecret.File)
}
if inp.Target != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are these things: targets, uid, gid, mode? These can't be set by the flags but are determined by the definition in Dockerfile.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh my bad I confused the secret mount in the Dockerfile syntax with the secret flag!

@crazy-max
Copy link
Member Author

I guess in the future we can discuss how this could be changed to a typed structure. But hacky to encode csv so it can be parsed again. (There is also a plan to allow defining the secret keys in json/hcl directly instead of csv).

Yes typed structure would be nice and also expose a contract in BuildKit so we don't have hardcoded attributes that could potentially drift.

@crazy-max
bake: support compose build secrets
c0f8a83 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
@crazy-max
Copy link
Member Author

What are these things: targets, uid, gid, mode? These can't be set by the flags but are determined by the definition in Dockerfile.

@glours Looking at this, adding these fields in the compose-spec might have been out of scope for buildx.

@crazy-max crazy-max merged commit a2d5bc7 into docker:master Apr 14, 2022
@crazy-max crazy-max deleted the compose-build-secrets branch April 14, 2022 10:06
@crazy-max crazy-max added this to the v0.9.0 milestone Jun 5, 2022
@sumnerwarren sumnerwarren mentioned this pull request May 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glours glours glours approved these changes

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.9.0
Development

Successfully merging this pull request may close these issues.

Support build.secrets in yaml
3 participants
@crazy-max @tonistiigi @glours