add support for build.secrets

ndeloof · ndeloof · commit 0dffd5ba9ff5 · 2022-04-13T22:45:53.000+02:00
Signed-off-by: Nicolas De Loof &lt;nicolas.deloof@gmail.com&gt;
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/AlecAivazis/survey/v2 v2.3.2
 	github.com/buger/goterm v1.0.4
 	github.com/cnabio/cnab-to-oci v0.3.1-beta1
-	github.com/compose-spec/compose-go v1.2.3
+	github.com/compose-spec/compose-go v1.2.4
 	github.com/containerd/console v1.0.3
 	github.com/containerd/containerd v1.6.2
 	github.com/distribution/distribution/v3 v3.0.0-20210316161203-a01c71e2477e
diff --git a/go.sum b/go.sum
@@ -302,8 +302,8 @@ github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoC
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
 github.com/codahale/hdrhistogram v0.0.0-20160425231609-f8ad88b59a58/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/compose-spec/compose-go v1.0.8/go.mod h1:REnCbBugoIdHB7S1sfkN/aJ7AJpNApGNjNiVjA9L8x4=
-github.com/compose-spec/compose-go v1.2.3 h1:r9zZfxQKG2A3fTy/MobMecUR1cd3uf7DlQQeB/NKVJ0=
-github.com/compose-spec/compose-go v1.2.3/go.mod h1:pAy7Mikpeft4pxkFU565/DRHEbDfR84G6AQuiL+Hdg8=
+github.com/compose-spec/compose-go v1.2.4 h1:nzTFqM8+2J7Veao5Pq5U451thinv3U1wChIvcjX59/A=
+github.com/compose-spec/compose-go v1.2.4/go.mod h1:pAy7Mikpeft4pxkFU565/DRHEbDfR84G6AQuiL+Hdg8=
 github.com/compose-spec/godotenv v1.1.1/go.mod h1:zF/3BOa18Z24tts5qnO/E9YURQanJTBUf7nlcCTNsyc=
 github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
 github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU=
diff --git a/pkg/compose/build.go b/pkg/compose/build.go
@@ -31,6 +31,7 @@ import (
 	bclient "github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/session/secrets/secretsprovider"
 	"github.com/moby/buildkit/session/sshforward/sshprovider"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 
@@ -254,6 +255,26 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 		sessionConfig = append(sessionConfig, sshAgentProvider)
 	}
 
+	if len(service.Build.Secrets) > 0 {
+		var sources []secretsprovider.Source
+		for _, secret := range service.Build.Secrets {
+			config := project.Secrets[secret.Source]
+			if config.File == "" {
+				return build.Options{}, fmt.Errorf("build.secrets only supports file-based secrets: %q", secret.Source)
+			}
+			sources = append(sources, secretsprovider.Source{
+				ID:       secret.Source,
+				FilePath: config.File,
+			})
+		}
+		store, err := secretsprovider.NewStore(sources)
+		if err != nil {
+			return build.Options{}, err
+		}
+		p := secretsprovider.NewSecretProvider(store)
+		sessionConfig = append(sessionConfig, p)
+	}
+
 	return build.Options{
 		Inputs: build.Inputs{
 			ContextPath:    service.Build.Context,
diff --git a/pkg/e2e/compose_build_test.go b/pkg/e2e/compose_build_test.go
@@ -169,3 +169,15 @@ func TestLocalComposeBuild(t *testing.T) {
 		c.RunDockerCmd("rmi", "custom-nginx")
 	})
 }
+
+func TestBuildSecrets(t *testing.T) {
+	c := NewParallelE2eCLI(t, binDir)
+
+	t.Run("build with secrets", func(t *testing.T) {
+		// ensure local test run does not reuse previously build image
+		c.RunDockerOrExitError("rmi", "build-test-secret")
+
+		res := c.RunDockerComposeCmd("--project-directory", "fixtures/build-test/secrets", "build")
+		res.Assert(t, icmd.Success)
+	})
+}
diff --git a/pkg/e2e/fixtures/build-test/secrets/Dockerfile b/pkg/e2e/fixtures/build-test/secrets/Dockerfile
@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1.2
+
+
+#   Copyright 2020 Docker Compose CLI authors
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+FROM alpine
+
+RUN echo "foo" > /tmp/expected
+RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret > /tmp/actual
+RUN diff /tmp/expected /tmp/actual
diff --git a/pkg/e2e/fixtures/build-test/secrets/compose.yml b/pkg/e2e/fixtures/build-test/secrets/compose.yml
@@ -0,0 +1,11 @@
+services:
+  ssh:
+    image: build-test-secret
+    build:
+      context: .
+      secrets:
+        - mysecret
+
+secrets:
+  mysecret:
+    file: ./secret.txt
diff --git a/pkg/e2e/fixtures/build-test/secrets/secret.txt b/pkg/e2e/fixtures/build-test/secrets/secret.txt
@@ -0,0 +1 @@
+foo
