containers
podman-compose build does not support environment type secrets
Describe the bug
When using podman-compose build it errors out on having any secrets defines as environment:. This is supported in the compose spec
To Reproduce Steps to reproduce the behavior:
- From the root of a repo create the following:
- test-image/Dockerfile
- docker-compose.yml
- Contents of Dockerfile:
FROM redhat/ubi9:latest
RUN --mount=type=secret,id=proxy_username,target=/etc/yum/vars/proxy_username \
--mount=type=secret,id=proxy_token,target=/etc/yum/vars/proxy_token \
microdnf upgrade -y --nodocs && \
microdnf install -y --nodocs tar gzip
- Contents of docker-compose.yml
version: "3.8"
services:
test-image:
build:
dockerfile: ./test-image/Dockerfile
secrets:
- proxy_username
- proxy_api_token
image: ${IMAGE_PATH:-test-image}:${IMAGE_TAG:-latest}
secrets:
proxy_api_token:
environment: PROXY_REGISTRY_API_TOKEN
proxy_username:
environment: PROXY_REGISTRY_USERNAME
- Set the variables in your environment
export PROXY_REGISTRY_USERNAME="test-user"
export PROXY_REGISTRY_API_TOKEN="test-token"
- Run podman-compose build
podman-compose build test-image
Expected behavior podman-compose should have access to the environment variables set on the host/container it is running in and pass them along.
Actual behavior podman-compose fails at parsing the yaml file.
Output
$ podman-compose -v
podman-compose version 1.2.0
podman version 4.9.4-rhel
$ podman-compose build test-image
Traceback (most recent call last):
File "/usr/local/bin/podman-compose", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/podman_compose.py", line 3504, in main
asyncio.run(async_main())
File "/usr/lib64/python3.9/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib64/python3.9/asyncio/base_events.py", line 647, in run_until_complete
return future.result()
File "/usr/local/lib/python3.9/site-packages/podman_compose.py", line 3500, in async_main
await podman_compose.run()
File "/usr/local/lib/python3.9/site-packages/podman_compose.py", line 1743, in run
retcode = await cmd(self, args)
File "/usr/local/lib/python3.9/site-packages/podman_compose.py", line 2422, in compose_build
s = await t
File "/usr/lib64/python3.9/asyncio/tasks.py", line 611, in _wait_for_one
return f.result() # May raise f.exception().
File "/usr/local/lib/python3.9/site-packages/podman_compose.py", line 2376, in build_one
build_args.extend(get_secret_args(compose, cnt, secret, podman_is_building=True))
File "/usr/local/lib/python3.9/site-packages/podman_compose.py", line 646, in get_secret_args
raise ValueError(
ValueError: ERROR: unparsable secret: "proxy_api_token", service: "test-image"
Environment:
- OS: Linux
- podman version: 4.9.4-rhel
- podman compose version: 1.2.0
Looks like this was fixed in #971 which was merged back in July, but the latest release of podman-compose was in June.
@ArthurHNL #971 does not fix this. See https://github.com/containers/podman-compose/issues/671#issuecomment-2217651095
In fact it does not even fix #671.
From the OP in #671:
The compose spec specifies that secrets can be read from the environment (https://github.com/compose-spec/compose-spec/blob/master/spec.md#secrets-top-level-element, list item
environment)
Note that they were talking about the secrets top level element.
Just tested podman-compose 1.3 and I get the same error.
Thank you for looking into this.
Just throwing my hat in the ring for this. We make heavy use of secrets being mounted in via the compose file's top-level secrets key
