Add `secret`, `secrets-from-env` and `secrets-from-file`
This commit is contained in:
parent
471b9e046d
commit
c4d9bfc937
|
@ -321,5 +321,26 @@ func settingsFlags(settings *plugin.Settings, category string) []cli.Flag {
|
|||
Destination: &settings.Build.SBOM,
|
||||
Category: category,
|
||||
},
|
||||
&cli.StringFlag{
|
||||
Name: "secret",
|
||||
EnvVars: []string{"PLUGIN_SECRET"},
|
||||
Usage: "secret key value pair eg id=MYSECRET",
|
||||
Destination: &settings.Build.Secret,
|
||||
Category: category,
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Name: "secrets-from-env",
|
||||
EnvVars: []string{"PLUGIN_SECRETS_FROM_ENV"},
|
||||
Usage: "secret key value pair eg secret_name=secret",
|
||||
Destination: &settings.Build.SecretEnvs,
|
||||
Category: category,
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Name: "secrets-from-file",
|
||||
EnvVars: []string{"PLUGIN_SECRETS_FROM_FILE"},
|
||||
Usage: "secret key value pairs eg secret_name=/path/to/secret",
|
||||
Destination: &settings.Build.SecretFiles,
|
||||
Category: category,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -160,9 +160,61 @@ func commandBuild(build Build, dryrun bool) *execabs.Cmd {
|
|||
args = append(args, "--sbom", build.SBOM)
|
||||
}
|
||||
|
||||
if build.Secret != "" {
|
||||
args = append(args, "--secret", build.Secret)
|
||||
}
|
||||
|
||||
for _, secret := range build.SecretEnvs.Value() {
|
||||
if arg, err := getSecretStringCmdArg(secret); err == nil {
|
||||
args = append(args, "--secret", arg)
|
||||
}
|
||||
}
|
||||
|
||||
for _, secret := range build.SecretFiles.Value() {
|
||||
if arg, err := getSecretFileCmdArg(secret); err == nil {
|
||||
args = append(args, "--secret", arg)
|
||||
}
|
||||
}
|
||||
|
||||
// we need to enable BuildKit, for secret support
|
||||
if build.Secret != "" || len(build.SecretEnvs.Value()) > 0 || len(build.SecretFiles.Value()) > 0 {
|
||||
os.Setenv("DOCKER_BUILDKIT", "1")
|
||||
}
|
||||
|
||||
return execabs.Command(dockerBin, args...)
|
||||
}
|
||||
|
||||
// helper function to parse string secret key-pair
|
||||
func getSecretStringCmdArg(kvp string) (string, error) {
|
||||
return getSecretCmdArg(kvp, false)
|
||||
}
|
||||
|
||||
// helper function to parse file secret key-pair
|
||||
func getSecretFileCmdArg(kvp string) (string, error) {
|
||||
return getSecretCmdArg(kvp, true)
|
||||
}
|
||||
|
||||
// helper function to parse secret key-pair
|
||||
func getSecretCmdArg(kvp string, file bool) (string, error) {
|
||||
delimIndex := strings.IndexByte(kvp, '=')
|
||||
if delimIndex == -1 {
|
||||
return "", fmt.Errorf("%s is not a valid secret", kvp)
|
||||
}
|
||||
|
||||
key := kvp[:delimIndex]
|
||||
value := kvp[delimIndex+1:]
|
||||
|
||||
if key == "" || value == "" {
|
||||
return "", fmt.Errorf("%s is not a valid secret", kvp)
|
||||
}
|
||||
|
||||
if file {
|
||||
return fmt.Sprintf("id=%s,src=%s", key, value), nil
|
||||
}
|
||||
|
||||
return fmt.Sprintf("id=%s,env=%s", key, value), nil
|
||||
}
|
||||
|
||||
// helper function to add proxy values from the environment.
|
||||
func addProxyBuildArgs(build *Build) {
|
||||
addProxyValue(build, "http_proxy")
|
||||
|
|
|
@ -65,6 +65,9 @@ type Build struct {
|
|||
Labels cli.StringSlice // Docker build labels
|
||||
Provenance string // Docker build provenance attestation
|
||||
SBOM string // Docker build sbom attestation
|
||||
Secret string // Docker build secret keypair
|
||||
SecretEnvs cli.StringSlice // Docker build secrets with env var as source
|
||||
SecretFiles cli.StringSlice // Docker build secrets with file as source
|
||||
}
|
||||
|
||||
// Settings for the Plugin.
|
||||
|
|
Loading…
Reference in New Issue