Skip to content

Secrets enable in Docker plugin with support for passing environment variables as secrets #332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wszychta wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Secrets enable in Docker plugin with support for passing environment variables as secrets #332

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
d346675
Enable secrets based on nashiox work
Sep 10, 2021
0f6e0c5
Working secrets to mount in docker build
Sep 14, 2021
a3f9486
Enable secrets only when BUILDKIT_ENABLE is set to 1; create flag for…
Sep 15, 2021
05824f1
Change message when DOCKER_BUILDKIT is not enabled
Sep 15, 2021
c184eaf
Create .netrc file in users home directory based on env variable; Set…
Sep 16, 2021
12e4959
Restore mainstream docker version
Sep 16, 2021
597073f
Change secrets usage description
Sep 16, 2021
21eb9d8
Remove flag for passing git netrc file; allow passing environment var…
Sep 17, 2021
02d789d
Remove secretSeparator from Build structure
Sep 17, 2021
6664679
Merge branch 'master' into secrets_enable
wszychta Sep 28, 2021
a3bcad8
Merge branch 'master' into secrets_enable
wszychta Oct 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 71 additions & 20 deletions cmd/drone-docker/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,22 @@ func main() {
Usage: "additional host:IP mapping",
EnvVar: "PLUGIN_ADD_HOST",
},
cli.BoolFlag{
Name: "git-netrc-pass",
Usage: "Pass git auth ~/.netrc file into docker build as secret - it will be avaliable as: id=git-netrc,src=$HOME/.netrc",
EnvVar: "PLUGIN_GIT_NETRC_PASS",
},
cli.StringSliceFlag{
Name: "secrets",
Usage: "Secret file to expose to the build ex: id=mysecret;src=/local/secret",
EnvVar: "PLUGIN_SECRETS",
},
cli.StringFlag{
Name: "secret-separator",
Usage: "Sign to be used to separate secrets id and src - this sign will be replaced with , to work with docker build command",
Value: ";",
EnvVar: "PLUGIN_SECRET_SEPARATOR",
},
}

if err := app.Run(os.Args); err != nil {
Expand All @@ -267,26 +283,28 @@ func run(c *cli.Context) error {
Config: c.String("docker.config"),
},
Build: docker.Build{
Remote: c.String("remote.url"),
Name: c.String("commit.sha"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
Args: c.StringSlice("args"),
ArgsEnv: c.StringSlice("args-from-env"),
Target: c.String("target"),
Squash: c.Bool("squash"),
Pull: c.BoolT("pull-image"),
CacheFrom: c.StringSlice("cache-from"),
Compress: c.Bool("compress"),
Repo: c.String("repo"),
Labels: c.StringSlice("custom-labels"),
LabelSchema: c.StringSlice("label-schema"),
AutoLabel: c.BoolT("auto-label"),
Link: c.String("link"),
NoCache: c.Bool("no-cache"),
AddHost: c.StringSlice("add-host"),
Quiet: c.Bool("quiet"),
Remote: c.String("remote.url"),
Name: c.String("commit.sha"),
Dockerfile: c.String("dockerfile"),
Context: c.String("context"),
Tags: c.StringSlice("tags"),
Args: c.StringSlice("args"),
ArgsEnv: c.StringSlice("args-from-env"),
Target: c.String("target"),
Squash: c.Bool("squash"),
Pull: c.BoolT("pull-image"),
CacheFrom: c.StringSlice("cache-from"),
Compress: c.Bool("compress"),
Repo: c.String("repo"),
Labels: c.StringSlice("custom-labels"),
LabelSchema: c.StringSlice("label-schema"),
AutoLabel: c.BoolT("auto-label"),
Link: c.String("link"),
NoCache: c.Bool("no-cache"),
AddHost: c.StringSlice("add-host"),
Secrets: c.StringSlice("secrets"),
SecretsSeparator: c.String("secret-separator"),
Quiet: c.Bool("quiet"),
},
Daemon: docker.Daemon{
Registry: c.String("docker.registry"),
Expand Down Expand Up @@ -325,5 +343,38 @@ func run(c *cli.Context) error {
}
}

if c.Bool("git-netrc-pass") || len(c.StringSlice("secrets")) > 0 {
if c.String("secret-separator") == "," && len(c.StringSlice("secrets")) > 0 {
logrus.Fatal("secret variables separator ',' will break build - please use default one or any other")
}
if c.Bool("git-netrc-pass") {
// Detect current user home directory
homedirname, err := os.UserHomeDir()
if err != nil {
logrus.Fatal(err)
}

// Create $HOME/.netrc file with correct permissions
netrcpath := homedirname + "/.netrc"
drone_netrc_file_env_val, drone_netrc_file_env_present := os.LookupEnv("DRONE_NETRC_FILE")
if drone_netrc_file_env_present {
err = os.WriteFile(netrcpath, []byte(drone_netrc_file_env_val), 0600)
if err != nil {
logrus.Fatal(err)
}
} else {
logrus.Fatal("DRONE_NETRC_FILE environment variable doesn't exists - cannot pass netrc file into build")
}

// Inject netrc secret into secrets
plugin.Build.Secrets = append(c.StringSlice("secrets"), "id=git-netrc,src="+netrcpath)
}
// Enable Buildkit if there are any secrets to pass to docker build
docker_buildkit_env_val, docker_buildkit_env_present := os.LookupEnv("DOCKER_BUILDKIT")
if docker_buildkit_env_present != true || docker_buildkit_env_val == "0" {
os.Setenv("DOCKER_BUILDKIT", "1")
}
}

return plugin.Exec()
}
45 changes: 25 additions & 20 deletions docker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,26 +39,28 @@ type (

// Build defines Docker build parameters.
Build struct {
Remote string // Git remote URL
Name string // Docker build using default named tag
Dockerfile string // Docker build Dockerfile
Context string // Docker build context
Tags []string // Docker build tags
Args []string // Docker build args
ArgsEnv []string // Docker build args from env
Target string // Docker build target
Squash bool // Docker build squash
Pull bool // Docker build pull
CacheFrom []string // Docker build cache-from
Compress bool // Docker build compress
Repo string // Docker build repository
LabelSchema []string // label-schema Label map
AutoLabel bool // auto-label bool
Labels []string // Label map
Link string // Git repo link
NoCache bool // Docker build no-cache
AddHost []string // Docker build add-host
Quiet bool // Docker build quiet
Remote string // Git remote URL
Name string // Docker build using default named tag
Dockerfile string // Docker build Dockerfile
Context string // Docker build context
Tags []string // Docker build tags
Args []string // Docker build args
ArgsEnv []string // Docker build args from env
Target string // Docker build target
Squash bool // Docker build squash
Pull bool // Docker build pull
CacheFrom []string // Docker build cache-from
Compress bool // Docker build compress
Repo string // Docker build repository
LabelSchema []string // label-schema Label map
AutoLabel bool // auto-label bool
Labels []string // Label map
Link string // Git repo link
NoCache bool // Docker build no-cache
AddHost []string // Docker build add-host
Secrets []string // Docker build secret
SecretsSeparator string // Docker build secrets variables separator
Quiet bool // Docker build quiet
}

// Plugin defines the Docker plugin parameters.
Expand Down Expand Up @@ -261,6 +263,9 @@ func commandBuild(build Build) *exec.Cmd {
if build.Target != "" {
args = append(args, "--target", build.Target)
}
for _, secret := range build.Secrets {
args = append(args, "--secret", strings.Replace(secret, build.SecretsSeparator, ",", -1))
}
if build.Quiet {
args = append(args, "--quiet")
}
Expand Down