Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Secrets in Build #264

Open
starpebble opened this issue Mar 29, 2019 · 8 comments
Open

Support Secrets in Build #264

starpebble opened this issue Mar 29, 2019 · 8 comments
Labels
enhancement

Comments

@starpebble
Copy link

Issue:
Support docker secret, in concourse jobs that build docker images.

Reference:

docker build has a --secret command line argument. It's different than --build-arg
https://docs.docker.com/engine/reference/commandline/build/

Expected result:
A concourse job can pass a map of secrets to the a job. Just like build-args.

Motivation:
Secrets will not show up in docker inspect. build-args will show up in docker inspect. secrets are safe for passwords. build-args are not safe for passwords.

Concourse credential protected values must be valid values for a secret. Then everything is safe.

docker build --secret is supported in: Docker API 1.39+

Example:

build_args:
  DO_THING: true
  HOW_MANY_THINGS: 2
  EMAIL: [email protected]
  CI_BUILD_ID: concourse-$BUILD_ID
secrets:
  PASSWORD: {{secret_password}}
@stec00
Copy link

stec00 commented Oct 13, 2021

Does anyone know if there is a workaround for this (before this issue is addressed) or is it currently not possible to supply a secret?

@xtremerui
Copy link
Contributor

there is no way to supply a secret now. PR is welcome as docker_buildkit is already an option.

@JasonDictos
Copy link
Contributor

Bump!

@JasonDictos
Copy link
Contributor

Related: #331

@JasonDictos
Copy link
Contributor

I am working on a fix here: #363

@mamachanko
Copy link

I understand this is done as of #366.

However, I can't quite figure our how to use it. Say I've got access to ((super-token)) through my vars. How would I provide that to the build of an image through secrets:? It's probably obvious but I fail to connect the dots.

@markrmullan
Copy link

I understand this is done as of #366.

However, I can't quite figure our how to use it. Say I've got access to ((super-token)) through my vars. How would I provide that to the build of an image through secrets:? It's probably obvious but I fail to connect the dots.

+1 — I've been trying various combinations of:

secrets:
  <KEY>: ((secret-value))
secrets:
  <ID>:
    <KEY>: ((secret-value))
secrets:
  <ID>:
    <KEY>: ENV_VAR_NAME

and nothing seems to work, despite trying to fit these into what it seems like that structure expects. Any guidance on how secrets: are meant to work with Credential Management?

@xtremerui
Copy link
Contributor

Hi, dynamic vars are not supported in put steps. The only way is through a load_var step, where you load docker secrets from a file first. It will then available to the put step.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mamachanko @xtremerui @JasonDictos @stec00 @markrmullan @starpebble