earthly icon indicating copy to clipboard operation
earthly copied to clipboard
verified publisher icon earthly

Added support for passing secrets to `FROM DOCKERFILE` command

Open sandeshlmore opened this issue 3 years ago • 3 comments

Fixes: #1483

This PR allows user to pass secrets to FROM DOCKERFILE earthly command/stage. secret can be pass to FROM DOCKERFILE with flag --secret.

example:

Dockerfile

FROM busybox:latest

RUN --mount=type=secret,id=TEST_SECRET_1,target=/mount.txt cp /mount.txt /TEST_ENV_SECRET_1.txt
RUN --mount=type=secret,id=TEST_SECRET_2,target=/mount.txt cp /mount.txt /TEST_ENV_SECRET_2.txt

Earthfile

test:
    FROM DOCKERFILE --secret TEST_SECRET_1 --secret TEST_SECRET_2=+secrets/SUPER_SECRET .
    RUN test "$(cat /TEST_ENV_SECRET_1.txt)" = "this is secret from env"
    RUN test "$(cat /TEST_ENV_SECRET_2.txt)" = "foo"

Set Env Locally

export TEST_SECRET_1="this is secret from env"

Build target test from Earthfile

earthly --secret TEST_SECRET_1 --secret  SUPER_SECRET="foo"  --no-cache +test

OUTPUT:

            internal | --> load metadata for docker.io/library/busybox:latest
             stage-0 | --> FROM docker.io/library/busybox:latest@sha256:ef320ff10026a50cf5f0213d35537ce0041ac1d96e9b7800bafd8bc9eff6c693
             stage-0 | [          ]   0% resolve docker.io/library/busybox:latest@sha256:ef320ff10026a50cf5f0213d35537ce0041ac1d96e9b7800bafd8bc9eff6c693 [██████████] 100% resolve docker.io/library/busybox:latest@sha256:ef320ff10026a50cf5f0213d35537ce0041ac1d96e9b7800bafd8bc9eff6c693
             stage-0 | --> RUN --mount=type=secret,id=TEST_SECRET_1,target=/mount.txt cp /mount.txt /TEST_ENV_SECRET_1.txt
             stage-0 | --> RUN --mount=type=secret,id=TEST_SECRET_2,target=/mount.txt cp /mount.txt /TEST_ENV_SECRET_2.txt
               +test | --> RUN test "$(cat /TEST_ENV_SECRET_1.txt)" = "this is secret from env"
               +test | --> RUN test "$(cat /TEST_ENV_SECRET_2.txt)" = "foo"
              output | --> exporting outputs

I have also added a test case under /tests/from-dockerfile-secrets.earth which can be run as

./build/linux/amd64/earthly --no-cache -P ./tests+from-dockerfile-secrets --DOCKERHUB_AUTH=false

sandeshlmore avatar Aug 03 '22 04:08 sandeshlmore

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Aug 03 '22 04:08 CLAassistant

thanks @alexcb for providing feedback.

from the example you gave, i understand that user should be able to refer to secret set along with earthly command run.

quick question: can user also refer to cloud-secrets(earthly secrets set command ) or only secrets set from command-line with --secret flag should be supported here?

sandeshlmore avatar Aug 05 '22 15:08 sandeshlmore

quick question: can user also refer to cloud-secrets(earthly secrets set command ) or only secrets set from command-line with --secret flag should be supported here?

ideally yes; however if there's a technical reason why it's not possible, we'll have to settle on the user performing remapping via the FROM DOCKERFILE --secret Foo=+secrets/my/cloud/secret syntax.

alexcb avatar Aug 05 '22 15:08 alexcb