Dokploy
[Feature] Docker Build Secrets
What problem will this feature address?
Build Secrets have a similar scope to Build Variables in that both are only provided during build process, however, secrets are specifically made to not be available in any ways in the resulting image, not in logs.
Describe the solution you'd like
Managing Build Secrets in Dokploy
I think it would make sense for Dokploy to manage Build Secrets the same way Build Variables are managed, using a <Secrets /> component.
Providing Build Secrets to Docker
There 2 ways to tell docker build about secrets:
- Via environment variables
API_TOKEN="<secret>" docker build . --secret id=token,env=API_TOKEN
- Via file path, where the file contains the secret value
echo "<secret>" > /home/user123/.api-token
docker build . --secret id=token,src=/home/user123/.api-token
Dokploy could prepend the processed Build Secret key-value pairs to the docker execution, so we make the values available to the process, and then we append --secret flags to the command, just like the first example:
API_TOKEN="<secret>" docker build . --secret id=token,env=API_TOKEN
Providing the secret value with Dokploy creating files may not be the best option as the files could pile up over time. Sure, we could use the /tmp directory... But sounds more complex to me.
Describe alternatives you've considered
Managing Build Secrets via pre-exiting files in Dokploy sound like something somebody would want, and this would require the process for Build Secrets to be similar to Docker Volumes: Need to select a type of secret (in this case: Value, File Path) and then it cannot be changed later on.
Dokploy would not manage the Secrets from pre-existing files in the host machine, and only manage references to such files as secret value holders, and tell docker about the existance of these via --secret id=<name>,src=<path>.
To me, Dokploy managing the secret values is good enough, but is not up to me to decide.
Additional context
I've looked to PR this myself, but as there is an alternative path that could (or could not) be decided to be useful, I preferred to stop and post this for discussion.
Hi @iksaku sounds good idea, since this apply only to dockerfile, we have 2 inputs for environment variables and build variables, maybe in the build variable section add some toggle to denotate will be used as a build secrets?
@Siumauricio Build variables and Build secrets operate differently inside the Dockerfile.
For build variables, you can expect the following:
docker build . --build-arg MESSAGE="Hello world!"
ARG MESSAGE
RUN echo "${MESSAGE}"
But to access build secrets, the process is different
MESSAGE="Hello world" docker build . --secret id=message,env=MESSAGE
RUN --mount=type=secret,id=message cat $(/run/secrets/message)
I think the difference in natures makes it worth having 2 separate properties instead of mixing them in a single input as there would not be granularity to mark which to use as a build variable, and which as a build secret.
Any update on this? We are using docker build-time secrets to build our images. Are there any workarounds until this feature is implemented?
An alternative at the moment, although not perfect, is to use Build Variables instead
Hey sorry for the delay, @iksaku are you interested to work on this? if so you can go ahead with the implementation
Sure, I would love to get into it. Just haven't found some time to draft it, but will try to find some in the coming weeks.
If anyone beats me to it, I would love to discuss implementation!
Hey everyone! Not sure how mailing works, but bumping for those subscribed just in case.
FInally got around implementing this in #2745. If anyone is up to test this, please do let me know if you encounter any issues.
Thank you all for your patience 🙇♂️