diff --git a/README.md b/README.md index fad6156..ec14647 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ _(As a convention in the list below, all task parameters are specified with a DO_THING=false ``` -* `$BUILDKIT_SECRET_*`: extra secrets which are made available via +* `$BUILDKIT_SECRET_*`: files with extra secrets which are made available via `--mount=type=secret,id=...`. See [New Docker Build secret information](https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information) for more information on build secrets. For example, running with `BUILDKIT_SECRET_config=my-repo/config` will allow @@ -101,6 +101,13 @@ _(As a convention in the list below, all task parameters are specified with a RUN --mount=type=secret,id=config cat /run/secrets/config ``` +* `$BUILDKIT_SECRETTEXT_*`: literal text of extra secrets to be made available + via the same mechanism described for `$BUILDKIT_SECRET_*` above. The + difference is that this is easier to use with credential managers: + + `BUILDKIT_SECRETTEXT_mysecret=(( mysecret ))` puts the content that + `(( mysecret ))` expands to in `/run/secrets/mysecret`. + * `$IMAGE_ARG_*`: params prefixed with `IMAGE_ARG_*` point to image tarballs (i.e. `docker save` format) to preload so that they do not have to be fetched during the build. An image reference will be provided as the given build arg diff --git a/cmd/build/main.go b/cmd/build/main.go index 3e8874d..9474676 100644 --- a/cmd/build/main.go +++ b/cmd/build/main.go @@ -3,8 +3,10 @@ package main import ( "bytes" "encoding/json" + "io/ioutil" "os" "os/exec" + "path/filepath" "strings" "github.com/sirupsen/logrus" @@ -17,6 +19,7 @@ const imageArgPrefix = "IMAGE_ARG_" const labelPrefix = "LABEL_" const buildkitSecretPrefix = "BUILDKIT_SECRET_" +const buildkitSecretTextPrefix = "BUILDKIT_SECRETTEXT_" func main() { req := task.Request{ @@ -58,6 +61,20 @@ func main() { req.Config.BuildkitSecrets[seg[0]] = seg[1] } + + if strings.HasPrefix(env, buildkitSecretTextPrefix) { + seg := strings.SplitN( + strings.TrimPrefix(env, buildkitSecretTextPrefix), "=", 2) + + // Q: Filter for environment variable names that are also legal shell variable names to disallow ../ etc? + secretDir := filepath.Join(os.TempDir(), "buildkit-secrets") + secretFile := filepath.Join(secretDir, seg[0]) + err := os.MkdirAll(secretDir, 0700) + failIf("create secret directory", err) + err = ioutil.WriteFile(secretFile, []byte(seg[1]), 0600) + failIf("write to secret directory", err) + req.Config.BuildkitSecrets[seg[0]] = secretFile + } } logrus.Debugf("read config from env: %#v\n", req.Config)