Add `secret`, `secrets-from-env` and `secrets-from-file`

2023-06-28 14:15:05 +03:00 · 2023-06-28 14:15:05 +03:00 · c4d9bfc937
parent 471b9e046d
commit c4d9bfc937
3 changed files with 76 additions and 0 deletions
--- a/cmd/drone-docker-buildx/config.go
+++ b/cmd/drone-docker-buildx/config.go
@ -321,5 +321,26 @@ func settingsFlags(settings *plugin.Settings, category string) []cli.Flag {
 			Destination: &settings.Build.SBOM,
 			Category:    category,
 		},
+		&cli.StringFlag{
+			Name:        "secret",
+			EnvVars:     []string{"PLUGIN_SECRET"},
+			Usage:       "secret key value pair eg id=MYSECRET",
+			Destination: &settings.Build.Secret,
+			Category:    category,
+		},
+		&cli.StringSliceFlag{
+			Name:        "secrets-from-env",
+			EnvVars:     []string{"PLUGIN_SECRETS_FROM_ENV"},
+			Usage:       "secret key value pair eg secret_name=secret",
+			Destination: &settings.Build.SecretEnvs,
+			Category:    category,
+		},
+		&cli.StringSliceFlag{
+			Name:        "secrets-from-file",
+			EnvVars:     []string{"PLUGIN_SECRETS_FROM_FILE"},
+			Usage:       "secret key value pairs eg secret_name=/path/to/secret",
+			Destination: &settings.Build.SecretFiles,
+			Category:    category,
+		},
 	}
 }
--- a/plugin/docker.go
+++ b/plugin/docker.go
@ -160,9 +160,61 @@ func commandBuild(build Build, dryrun bool) *execabs.Cmd {
 		args = append(args, "--sbom", build.SBOM)
 	}

+	if build.Secret != "" {
+		args = append(args, "--secret", build.Secret)
+	}
+
+	for _, secret := range build.SecretEnvs.Value() {
+		if arg, err := getSecretStringCmdArg(secret); err == nil {
+			args = append(args, "--secret", arg)
+		}
+	}
+
+	for _, secret := range build.SecretFiles.Value() {
+		if arg, err := getSecretFileCmdArg(secret); err == nil {
+			args = append(args, "--secret", arg)
+		}
+	}
+
+	// we need to enable BuildKit, for secret support
+	if build.Secret != "" || len(build.SecretEnvs.Value()) > 0 || len(build.SecretFiles.Value()) > 0 {
+		os.Setenv("DOCKER_BUILDKIT", "1")
+	}
+
 	return execabs.Command(dockerBin, args...)
 }

+// helper function to parse string secret key-pair
+func getSecretStringCmdArg(kvp string) (string, error) {
+	return getSecretCmdArg(kvp, false)
+}
+
+// helper function to parse file secret key-pair
+func getSecretFileCmdArg(kvp string) (string, error) {
+	return getSecretCmdArg(kvp, true)
+}
+
+// helper function to parse secret key-pair
+func getSecretCmdArg(kvp string, file bool) (string, error) {
+	delimIndex := strings.IndexByte(kvp, '=')
+	if delimIndex == -1 {
+		return "", fmt.Errorf("%s is not a valid secret", kvp)
+	}
+
+	key := kvp[:delimIndex]
+	value := kvp[delimIndex+1:]
+
+	if key == "" || value == "" {
+		return "", fmt.Errorf("%s is not a valid secret", kvp)
+	}
+
+	if file {
+		return fmt.Sprintf("id=%s,src=%s", key, value), nil
+	}
+
+	return fmt.Sprintf("id=%s,env=%s", key, value), nil
+}
+
 // helper function to add proxy values from the environment.
 func addProxyBuildArgs(build *Build) {
 	addProxyValue(build, "http_proxy")
--- a/plugin/impl.go
+++ b/plugin/impl.go
@ -65,6 +65,9 @@ type Build struct {
 	Labels       cli.StringSlice // Docker build labels
 	Provenance   string          // Docker build provenance attestation
 	SBOM         string          // Docker build sbom attestation
+	Secret       string          // Docker build secret keypair
+	SecretEnvs   cli.StringSlice // Docker build secrets with env var as source
+	SecretFiles  cli.StringSlice // Docker build secrets with file as source
 }

 // Settings for the Plugin.