docker-image-resource
docker-image-resource copied to clipboard
concourse
Support Secrets in Build
Issue: Support docker secret, in concourse jobs that build docker images.
Reference:
docker build has a --secret command line argument. It's different than --build-arg https://docs.docker.com/engine/reference/commandline/build/
Expected result: A concourse job can pass a map of secrets to the a job. Just like build-args.
Motivation: Secrets will not show up in docker inspect. build-args will show up in docker inspect. secrets are safe for passwords. build-args are not safe for passwords.
Concourse credential protected values must be valid values for a secret. Then everything is safe.
docker build --secret is supported in: Docker API 1.39+
Example:
build_args:
DO_THING: true
HOW_MANY_THINGS: 2
EMAIL: [email protected]
CI_BUILD_ID: concourse-$BUILD_ID
secrets:
PASSWORD: {{secret_password}}
Does anyone know if there is a workaround for this (before this issue is addressed) or is it currently not possible to supply a secret?
there is no way to supply a secret now. PR is welcome as docker_buildkit is already an option.
I am working on a fix here: https://github.com/concourse/docker-image-resource/pull/363
I understand this is done as of https://github.com/concourse/docker-image-resource/pull/366.
However, I can't quite figure our how to use it. Say I've got access to ((super-token)) through my vars. How would I provide that to the build of an image through secrets:? It's probably obvious but I fail to connect the dots.
