diff --git a/ci/container-image-build-task.yml b/ci/container-image-build-task.yml index 616fbac..e0ee8bc 100644 --- a/ci/container-image-build-task.yml +++ b/ci/container-image-build-task.yml @@ -24,7 +24,7 @@ params: CONTEXT: source/((flavor)) IMAGE_PLATFORM: ((target-platform)) # This param tells the `concourse-oci-build-task` task which architecture to build the image for. BUILD_ARG_TARGETPLATFORM: ((target-platform)) # the instana-agent-docker Dockerfile requires a TARGETPLATFORM build arg. - BUILD_ARG_DOWNLOAD_KEY: ((agent-download-key)) # required by the instana-agent-docker Dockerfile + BUILDKIT_SECRETTEXT_DOWNLOAD_KEY: ((agent-download-key)) # required by the instana-agent-docker Dockerfile BUILD_ARG_FLAVOR: ((flavor)) # required by the instana-agent-docker Dockerfile BUILD_ARG_CLASSIFIER: ((classifier)) # required by the instana-agent-docker Dockerfile BUILD_ARG_VERSION: ((version)) # required by the instana-agent-docker Dockerfile diff --git a/dynamic/Dockerfile b/dynamic/Dockerfile index 8ec5497..4f1e638 100644 --- a/dynamic/Dockerfile +++ b/dynamic/Dockerfile @@ -46,11 +46,11 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS instana-agent ARG TARGETPLATFORM='linux/amd64' ARG CLASSIFIER='' -ARG DOWNLOAD_KEY # This is for backwards compatibility for end users that build their own images ARG FTP_PROXY -RUN microdnf update && curl -sSL https://packages.instana.io/Instana.gpg -o /tmp/Instana.gpg && \ +RUN --mount=type=secret,id=DOWNLOAD_KEY DOWNLOAD_KEY="$(cat /run/secrets/DOWNLOAD_KEY)" && \ + microdnf update && curl -sSL https://packages.instana.io/Instana.gpg -o /tmp/Instana.gpg && \ rpm --import /tmp/Instana.gpg && \ export arch=$(case "${TARGETPLATFORM}" in 'linux/amd64') echo 'x86_64' ;; 'linux/arm64') echo 'aarch64' ;; 'linux/s390x') echo 's390x' ;; 'linux/ppc64le') echo 'ppc64le' ;; esac) && \ [[ -z "${FTP_PROXY}" ]] || DOWNLOAD_KEY="${FTP_PROXY}" && \ diff --git a/dynamic/README.md b/dynamic/README.md index 787eb9d..ffb474e 100644 --- a/dynamic/README.md +++ b/dynamic/README.md @@ -18,12 +18,16 @@ features](https://github.com/docker/cli/blob/master/experimental/README.md) need export TARGETPLATFORM=linux/s390x export DOWNLOAD_KEY=my-key +echo "${DOWNLOAD_KEY}" > ${HOME}/.INSTANA_DOWNLOAD_KEY + docker buildx build --no-cache \ - --build-arg DOWNLOAD_KEY="${DOWNLOAD_KEY}" \ + --secret id=DOWNLOAD_KEY,src=${HOME}/.INSTANA_DOWNLOAD_KEY \ --platform="${TARGETPLATFORM}" \ --build-arg "TARGETPLATFORM=${TARGETPLATFORM}" \ -t instana/agent \ . + +rm -f ${HOME}/.INSTANA_DOWNLOAD_KEY ``` Supported values of ``: diff --git a/static/Dockerfile b/static/Dockerfile index 3f7366f..73269cb 100644 --- a/static/Dockerfile +++ b/static/Dockerfile @@ -46,11 +46,12 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS instana-agent ARG TARGETPLATFORM='linux/amd64' ARG CLASSIFIER='' -ARG DOWNLOAD_KEY # This is for backwards compatibility for end users that build their own images ARG FTP_PROXY -RUN microdnf update && curl -sSL https://packages.instana.io/Instana.gpg -o /tmp/Instana.gpg && \ +# Use secret mounts to prevent leakage of secrets in docker image metadata +RUN --mount=type=secret,id=DOWNLOAD_KEY DOWNLOAD_KEY="$(cat /run/secrets/DOWNLOAD_KEY)" && \ + microdnf update && curl -sSL https://packages.instana.io/Instana.gpg -o /tmp/Instana.gpg && \ rpm --import /tmp/Instana.gpg && \ export arch=$(case "${TARGETPLATFORM}" in 'linux/amd64') echo 'x86_64' ;; 'linux/arm64') echo 'aarch64' ;; 'linux/s390x') echo 's390x' ;; 'linux/ppc64le') echo 'ppc64le' ;; esac) && \ [[ -z "${FTP_PROXY}" ]] || DOWNLOAD_KEY="${FTP_PROXY}" && \ diff --git a/static/README.md b/static/README.md index 696d21a..79d27bd 100644 --- a/static/README.md +++ b/static/README.md @@ -12,12 +12,16 @@ features](https://github.com/docker/cli/blob/master/experimental/README.md) need export TARGETPLATFORM=linux/s390x export DOWNLOAD_KEY=my-key +echo "${DOWNLOAD_KEY}" > ${HOME}/.INSTANA_DOWNLOAD_KEY + docker buildx build --no-cache \ - --build-arg DOWNLOAD_KEY="${DOWNLOAD_KEY}" \ + --secret id=DOWNLOAD_KEY,src=${HOME}/.INSTANA_DOWNLOAD_KEY \ --platform="${TARGETPLATFORM}" \ --build-arg "TARGETPLATFORM=${TARGETPLATFORM}" \ -t containers.instana.io/instana/release/agent/static \ . + +rm -f ~/.INSTANA_DOWNLOAD_KEY ``` Supported values of ``: