Add `secret`, `secrets-from-env` and `secrets-from-file`
This commit is contained in:
parent
471b9e046d
commit
c4d9bfc937
|
@ -321,5 +321,26 @@ func settingsFlags(settings *plugin.Settings, category string) []cli.Flag {
|
||||||
Destination: &settings.Build.SBOM,
|
Destination: &settings.Build.SBOM,
|
||||||
Category: category,
|
Category: category,
|
||||||
},
|
},
|
||||||
|
&cli.StringFlag{
|
||||||
|
Name: "secret",
|
||||||
|
EnvVars: []string{"PLUGIN_SECRET"},
|
||||||
|
Usage: "secret key value pair eg id=MYSECRET",
|
||||||
|
Destination: &settings.Build.Secret,
|
||||||
|
Category: category,
|
||||||
|
},
|
||||||
|
&cli.StringSliceFlag{
|
||||||
|
Name: "secrets-from-env",
|
||||||
|
EnvVars: []string{"PLUGIN_SECRETS_FROM_ENV"},
|
||||||
|
Usage: "secret key value pair eg secret_name=secret",
|
||||||
|
Destination: &settings.Build.SecretEnvs,
|
||||||
|
Category: category,
|
||||||
|
},
|
||||||
|
&cli.StringSliceFlag{
|
||||||
|
Name: "secrets-from-file",
|
||||||
|
EnvVars: []string{"PLUGIN_SECRETS_FROM_FILE"},
|
||||||
|
Usage: "secret key value pairs eg secret_name=/path/to/secret",
|
||||||
|
Destination: &settings.Build.SecretFiles,
|
||||||
|
Category: category,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -160,9 +160,61 @@ func commandBuild(build Build, dryrun bool) *execabs.Cmd {
|
||||||
args = append(args, "--sbom", build.SBOM)
|
args = append(args, "--sbom", build.SBOM)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if build.Secret != "" {
|
||||||
|
args = append(args, "--secret", build.Secret)
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, secret := range build.SecretEnvs.Value() {
|
||||||
|
if arg, err := getSecretStringCmdArg(secret); err == nil {
|
||||||
|
args = append(args, "--secret", arg)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, secret := range build.SecretFiles.Value() {
|
||||||
|
if arg, err := getSecretFileCmdArg(secret); err == nil {
|
||||||
|
args = append(args, "--secret", arg)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// we need to enable BuildKit, for secret support
|
||||||
|
if build.Secret != "" || len(build.SecretEnvs.Value()) > 0 || len(build.SecretFiles.Value()) > 0 {
|
||||||
|
os.Setenv("DOCKER_BUILDKIT", "1")
|
||||||
|
}
|
||||||
|
|
||||||
return execabs.Command(dockerBin, args...)
|
return execabs.Command(dockerBin, args...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// helper function to parse string secret key-pair
|
||||||
|
func getSecretStringCmdArg(kvp string) (string, error) {
|
||||||
|
return getSecretCmdArg(kvp, false)
|
||||||
|
}
|
||||||
|
|
||||||
|
// helper function to parse file secret key-pair
|
||||||
|
func getSecretFileCmdArg(kvp string) (string, error) {
|
||||||
|
return getSecretCmdArg(kvp, true)
|
||||||
|
}
|
||||||
|
|
||||||
|
// helper function to parse secret key-pair
|
||||||
|
func getSecretCmdArg(kvp string, file bool) (string, error) {
|
||||||
|
delimIndex := strings.IndexByte(kvp, '=')
|
||||||
|
if delimIndex == -1 {
|
||||||
|
return "", fmt.Errorf("%s is not a valid secret", kvp)
|
||||||
|
}
|
||||||
|
|
||||||
|
key := kvp[:delimIndex]
|
||||||
|
value := kvp[delimIndex+1:]
|
||||||
|
|
||||||
|
if key == "" || value == "" {
|
||||||
|
return "", fmt.Errorf("%s is not a valid secret", kvp)
|
||||||
|
}
|
||||||
|
|
||||||
|
if file {
|
||||||
|
return fmt.Sprintf("id=%s,src=%s", key, value), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf("id=%s,env=%s", key, value), nil
|
||||||
|
}
|
||||||
|
|
||||||
// helper function to add proxy values from the environment.
|
// helper function to add proxy values from the environment.
|
||||||
func addProxyBuildArgs(build *Build) {
|
func addProxyBuildArgs(build *Build) {
|
||||||
addProxyValue(build, "http_proxy")
|
addProxyValue(build, "http_proxy")
|
||||||
|
|
|
@ -65,6 +65,9 @@ type Build struct {
|
||||||
Labels cli.StringSlice // Docker build labels
|
Labels cli.StringSlice // Docker build labels
|
||||||
Provenance string // Docker build provenance attestation
|
Provenance string // Docker build provenance attestation
|
||||||
SBOM string // Docker build sbom attestation
|
SBOM string // Docker build sbom attestation
|
||||||
|
Secret string // Docker build secret keypair
|
||||||
|
SecretEnvs cli.StringSlice // Docker build secrets with env var as source
|
||||||
|
SecretFiles cli.StringSlice // Docker build secrets with file as source
|
||||||
}
|
}
|
||||||
|
|
||||||
// Settings for the Plugin.
|
// Settings for the Plugin.
|
||||||
|
|
Loading…
Reference in New Issue