Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add buildah param to inject secrets into the build #1099

Merged
merged 5 commits into from
Jul 2, 2024
Merged

Conversation

ralphbean
Copy link
Member

The secret is made available only to RUN lines that are invoked with --mount, like this:

RUN --mount=type=secret,id={secret-name} cat /run/secrets/{secret-name}

See https://docs.podman.io/en/latest/markdown/podman-build.1.html#secret-id-id-src-path

cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret
BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret")
echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}"
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, this allows the user to inject arbitrary content into the build. Although the same could be said for every volume mount unless the content comes from the output of a trusted task. The likelihood of this being misused seems slightly higher than for the other secrets, though still fairly low.

I'm not too concerned over adding this, just raising an observation

@ralphbean ralphbean marked this pull request as ready for review June 28, 2024 16:52
@ralphbean ralphbean requested a review from chmeliik June 28, 2024 16:53
@ralphbean
Copy link
Member Author

/retest

task/buildah-oci-ta/0.1/buildah-oci-ta.yaml Outdated Show resolved Hide resolved
@@ -67,6 +67,11 @@ spec:
hours, days, and weeks, respectively.
type: string
default: ""
- name: OPTIONAL_SECRET
description: Name of a secret which will be made available to the build
with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw, what is the reasoning behind the name OPTIONAL_SECRET?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, the first name I chose was EXTRA_SECRET. Meaning - it's just an extra secret in addition to the entitlement secret that you can inject into your build.

On reading, I thought that "extra secret" might spuriously convey the idea that the secret was "more secret" than normal secrets - which isn't the intent.

Rather than OPTIONAL_SECRET, we could consider ADDITIONAL_SECRET - or .. any ideas?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ADDITIONAL_SECRET does sound a bit more straightforward.

@ralphbean ralphbean force-pushed the secret-id branch 2 times, most recently from efa55a3 to 8f493a4 Compare July 2, 2024 13:27
Copy link
Contributor

@chmeliik chmeliik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

For posterity, could you describe what immediate use case this is meant to address?

@ralphbean
Copy link
Member Author

Yes, it's amazing. In this line of this Containerfile the instructlab team is adding a "physically bound" container, embedding it in another container.

Upstream, that works as is. In private environments, users need auth to pull that inner image during the build process of the outer image.

This is incompatible with hermetic mode.

I can imagine a user might someday want to use this in combination with hermetic mode in order to decrypt some content, encrypted at rest, during their build. But, that is an imagined use case - not real.

ralphbean added 5 commits July 2, 2024 10:34
The secret is made available only to RUN lines that are invoked with
`--mount`, like this:

```
RUN --mount=type=secret,id={secret-name} cat /run/secrets/{secret-name}
```

See https://docs.podman.io/en/latest/markdown/podman-build.1.html#secret-id-id-src-path

Signed-off-by: Ralph Bean <[email protected]>
Per review feedback. This is a more straightforward name.
@ralphbean ralphbean added this pull request to the merge queue Jul 2, 2024
Merged via the queue into main with commit 09da36d Jul 2, 2024
7 checks passed
@ralphbean ralphbean deleted the secret-id branch July 2, 2024 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants