From c4d9bfc937cc6f03b5bf74eb2105932b68b55871 Mon Sep 17 00:00:00 2001 From: Moein Nemati Date: Wed, 28 Jun 2023 14:15:05 +0300 Subject: [PATCH] Add `secret`, `secrets-from-env` and `secrets-from-file` --- cmd/drone-docker-buildx/config.go | 21 +++++++++++++ plugin/docker.go | 52 +++++++++++++++++++++++++++++++ plugin/impl.go | 3 ++ 3 files changed, 76 insertions(+) diff --git a/cmd/drone-docker-buildx/config.go b/cmd/drone-docker-buildx/config.go index ac41ddb..cc0ffe5 100644 --- a/cmd/drone-docker-buildx/config.go +++ b/cmd/drone-docker-buildx/config.go @@ -321,5 +321,26 @@ func settingsFlags(settings *plugin.Settings, category string) []cli.Flag { Destination: &settings.Build.SBOM, Category: category, }, + &cli.StringFlag{ + Name: "secret", + EnvVars: []string{"PLUGIN_SECRET"}, + Usage: "secret key value pair eg id=MYSECRET", + Destination: &settings.Build.Secret, + Category: category, + }, + &cli.StringSliceFlag{ + Name: "secrets-from-env", + EnvVars: []string{"PLUGIN_SECRETS_FROM_ENV"}, + Usage: "secret key value pair eg secret_name=secret", + Destination: &settings.Build.SecretEnvs, + Category: category, + }, + &cli.StringSliceFlag{ + Name: "secrets-from-file", + EnvVars: []string{"PLUGIN_SECRETS_FROM_FILE"}, + Usage: "secret key value pairs eg secret_name=/path/to/secret", + Destination: &settings.Build.SecretFiles, + Category: category, + }, } } diff --git a/plugin/docker.go b/plugin/docker.go index 7ad7499..dbb4362 100644 --- a/plugin/docker.go +++ b/plugin/docker.go @@ -160,9 +160,61 @@ func commandBuild(build Build, dryrun bool) *execabs.Cmd { args = append(args, "--sbom", build.SBOM) } + if build.Secret != "" { + args = append(args, "--secret", build.Secret) + } + + for _, secret := range build.SecretEnvs.Value() { + if arg, err := getSecretStringCmdArg(secret); err == nil { + args = append(args, "--secret", arg) + } + } + + for _, secret := range build.SecretFiles.Value() { + if arg, err := getSecretFileCmdArg(secret); err == nil { + args = append(args, "--secret", arg) + } + } + + // we need to enable BuildKit, for secret support + if build.Secret != "" || len(build.SecretEnvs.Value()) > 0 || len(build.SecretFiles.Value()) > 0 { + os.Setenv("DOCKER_BUILDKIT", "1") + } + return execabs.Command(dockerBin, args...) } +// helper function to parse string secret key-pair +func getSecretStringCmdArg(kvp string) (string, error) { + return getSecretCmdArg(kvp, false) +} + +// helper function to parse file secret key-pair +func getSecretFileCmdArg(kvp string) (string, error) { + return getSecretCmdArg(kvp, true) +} + +// helper function to parse secret key-pair +func getSecretCmdArg(kvp string, file bool) (string, error) { + delimIndex := strings.IndexByte(kvp, '=') + if delimIndex == -1 { + return "", fmt.Errorf("%s is not a valid secret", kvp) + } + + key := kvp[:delimIndex] + value := kvp[delimIndex+1:] + + if key == "" || value == "" { + return "", fmt.Errorf("%s is not a valid secret", kvp) + } + + if file { + return fmt.Sprintf("id=%s,src=%s", key, value), nil + } + + return fmt.Sprintf("id=%s,env=%s", key, value), nil +} + // helper function to add proxy values from the environment. func addProxyBuildArgs(build *Build) { addProxyValue(build, "http_proxy") diff --git a/plugin/impl.go b/plugin/impl.go index ce530b7..7a18398 100644 --- a/plugin/impl.go +++ b/plugin/impl.go @@ -65,6 +65,9 @@ type Build struct { Labels cli.StringSlice // Docker build labels Provenance string // Docker build provenance attestation SBOM string // Docker build sbom attestation + Secret string // Docker build secret keypair + SecretEnvs cli.StringSlice // Docker build secrets with env var as source + SecretFiles cli.StringSlice // Docker build secrets with file as source } // Settings for the Plugin.