From 1ff092867189b1d3fa2b3b4482e356f0b20b5752 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 2 Jul 2024 16:29:29 -0400 Subject: [PATCH] Iterate over additional secret keys, making all available Two bugs are fixed here. First, the buildah `--secret` arg expects a *file*, not a directory, so every key/value pair in the kubernetes secrets mounted in needs to be supplied as a separate argument to buildah. Second, buildah won't accept symlinks and all of the individual files in the mounted directory are symlinks. The `-L` option to `cp` addresses that by de-referencing them. --- task/buildah/0.1/buildah.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index cf74553521..bbe48df656 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -293,10 +293,13 @@ spec: fi ADDITIONAL_SECRET_PATH="/additional-secret" + ADDITIONAL_SECRET_TMP="/tmp/additional-secret" if [ -d "$ADDITIONAL_SECRET_PATH" ]; then - cp -r --preserve=mode "$ADDITIONAL_SECRET_PATH" /tmp/additional-secret - BUILDAH_ARGS+=("--secret=id=${ADDITIONAL_SECRET},src=/tmp/additional-secret") - echo "Adding the secret ${ADDITIONAL_SECRET} to the build, available at /run/secrets/${ADDITIONAL_SECRET}" + cp -r --preserve=mode -L "$ADDITIONAL_SECRET_PATH" $ADDITIONAL_SECRET_TMP + for filename in $(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;); do + echo "Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}" + BUILDAH_ARGS+=("--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}") + done fi unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \