Support buildkit build time secrets #7046
Conversation
…uilder as intended The existing test was passing DOCKER_BUILDKIT=1 as an env var but the test was passing without using buildkit Adds buildkit only features to the Dockerfile so that it will fail unless buildkit is invoked. It also ensures that the test environment is passed to the forked native build process Signed-off-by: Ollie Edwards <oliver.s.edwards@gmail.com>
This is done using the build section in the yaml which may look like a strange decision given build secrets are almost by definition not in a well known location. It's intended that this feature be used with env substitution. Signed-off-by: Ollie Edwards <oliver.s.edwards@gmail.com>
|
Sounds a reasonable approach. which possibly could be extended for later additional parameters buildKit could introduce: As a side-note, when you consider working on such an enhancement, please first report an issue so this can be discussed with maintainers, and you don't waste time working hard on code that might not be later approved. note: should also be implemented in https://github.com/docker/buildx for consistency |
|
Can this also be used to the pass SSH environment (e.g., |
|
@Teyras would need to look into details, but assuming BuildKit did define distinct build args for this purpose, we probably would better introduce |
|
Thanks @ndeloof for the feedback. I've had a go at an abstract buildkit syntax let me know what you think. It looks a bit odd as it's a list of strings or dicts. I didn't want to force people to use the full Thanks for the hint about opening an issue. In this case I didn't really set out to write a PR it just kinda went that way once I started reading. Can you please clarify your comment on buildx, this feature is already implemented there, I'm not sure what action you are recommending? |
|
@Teyras No this is specifically to get parity with buildkit |
|
General approach looks good to me an could be used to add support for buildkit's I'll discuss with maintainers on way we'd like to proceed with such schema updates. |
Rather than putting buildkit strings directly in compose file, use a mapping abstraction. The format is slightly odd looking string or dict as the only truly required mount arg is id but we may also want to provide a whole dict of options including source and any other flags that buildkit supports for a mount spec. Signed-off-by: Ollie Edwards <oliver.s.edwards@gmail.com>
89e6d53 to
2a195fd
Compare
|
Thanks @ndeloof, have patched the last commit to be in line with volumes, thanks for pointing that out, I was looking for a good example to crib. Shame about the schema replication issue, that does complicate things somewhat, but I'm sure there's a reasonable solution. |
|
Do you guys know if there is a known workaround for doing ssh forwarding with docker-compose till a solution is introduced? I have tried many suggested methods but can't seem to get around password protected RSA keys. |
|
Would this also include a way to pass a secret as a CLI argument? |
|
Can't wait to see this PR get over the line ;) |
|
This change would allow using |
|
What is the behavior when building without |
|
It appears that it should just ignore the secrets if |
| @@ -973,12 +974,49 @@ def test_build_cli(self): | |||
| self.addCleanup(shutil.rmtree, base_dir) | |||
|
|
|||
| with open(os.path.join(base_dir, 'Dockerfile'), 'w') as f: | |||
| f.write("FROM busybox\n") | |||
| # f.write("FROM busybox\n") | |||
There was a problem hiding this comment.
Remove commented code?
| # f.write("FROM busybox\n") |
| secret_path_2 = os.path.join(base_dir, 'secret_2') | ||
|
|
||
| with open(os.path.join(base_dir, 'Dockerfile'), 'w') as f: | ||
| # f.write("FROM busybox\n") |
There was a problem hiding this comment.
Remove commented code?
| # f.write("FROM busybox\n") |
| @@ -88,7 +88,8 @@ | |||
| "cache_from": {"$ref": "#/definitions/list_of_strings"}, | |||
| "network": {"type": "string"}, | |||
| "target": {"type": "string"}, | |||
| "shm_size": {"type": ["integer", "string"]} | |||
| "shm_size": {"type": ["integer", "string"]}, | |||
| "secrets": {"$ref": "#/definitions/build_secrets"} | |||
There was a problem hiding this comment.
Note that we can't update the 3.7 schema, as it's already been released, so to add this property to the schema, it probably has to be added to the upcoming 3.9 schema in https://github.com/docker/cli/blob/master/cli/compose/schema/data/config_schema_v3.9.json first
|
@antiBaconMachine @ndeloof next steps here...? :) |
|
I'm very excited to be able to use |
|
Just curious if anyone thinks using the existing secrets syntax (v3.1+) would be cleaner: The secret name ("my-secret") would be passed in as the secret "id" and the path to the file would be passed in as the "src". |
|
Looking forward to seeing ssh flag for compose files as well. We just started to use ssh for git keys and this is a blocker right now. Any update on a timeline for this? |
|
@antiBaconMachine could we get this finally merged in? |
|
It looks like this PR does not address the ssh flag, and only does it for the secrets flag |
Agreed, what do we need to do to make it happen?!
This is the question! What else needs to be done, anyone? @ndeloof ? Or @thaJeztah ? Is it mainly this?
@antiBaconMachine any chance you're still around and willing if this PR needs updates? If not, anyone else willing to contribute? I am more than willing, although may need some hand-holding 😅 Although part of me wants to say nothing and advocate merging this ASAP, I can't help but think this is a great suggestion:
RE
Imo that seems out of scope for this PR.. looks like it might need a separate issue/PR based on this comment:
|
|
Is there any update on this? Anything else that needs to be done aside from handling merge conflicts? Happy to help if needed. |
|
Would love to see support for build secrets in compose! |
|
Any update on this? |
|
Hi, any plans to support build time secrets ? |
|
UP, any plans ? It's a much appreciated feature |
|
@psigen @thaJeztah @antiBaconMachine @ndeloof is there any update here? What is still needed from this PR to be ready for merging? |
This requires changes in the compose specification, so likely needs to wait for compose-spec/compose-spec#81 (or alternatives) to be accepted by the spec maintainers |
|
best option would be for the buildx maintainers to make a proposal based on the work done with |
Yes exactly, that's why we added the |
|
@crazy-max custom extension allow to experiment without the need to get a long debate on the spec on some abstract solution, but this doesn't mean we can't discuss on the spec while bake is used as a concrete implementation example. |
I think the proposal compose-spec/compose-spec#120 from @chris-crone is already aligned with what the |
|
Can someone make a comment about the overall process remaining (e.g. what steps and governing bodies are involved and where those decisions are currently) since it seems like there is some positivity here but still feels like "nothing" has happened? |
Would be nice to get buildx contributors involved here, as they introduced custom extensions for this purpose in |
|
Guys, the issue has been submitted more than two years ago, still no concrete progress on this ? Unless there is a decent tool chain that enables docker users to apply best security practices, secrets will continue to be provided in an insecure way for a long time, which is in the interest of nobody. I don't understand how such a crucial feature can take so long to make its way through the intricacies of the Compose Specification process. Thank you to all those involved to make this happen, |
|
Checkout |
|
|
|
Just for reference, merged on compose-spec/compose-spec#238 |
Hi everyone. This is one possible solution to build time secret mounting. I've used the build section in the compose yaml, I think there's a good argument to be made for supporting
--build-secreton the CLI as well / instead.I'm new to this project and I don't typically write python so all feedback welcome, what do people think of using the build section like this?
The use case I originally wanted this for is mounting .npmrc so I imagine I would check in something like
id=npmrc,src=${FOO_SECRET:-~/.npmrc}and then anyone with their .npmrc in the "normal" place would never have to think about this again. That is is the motivation for doing it this way first before the CLI which puts more burden on user.If this PR isn't to your liking that is fine but you should still consider the first commit which fixes an existing test which does not behave as I think it was intended.
Resolves ##6358