-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add buildah param to inject secrets into the build #1099
Conversation
cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret | ||
BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret") | ||
echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}" | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically, this allows the user to inject arbitrary content into the build. Although the same could be said for every volume mount unless the content comes from the output of a trusted task. The likelihood of this being misused seems slightly higher than for the other secrets, though still fairly low.
I'm not too concerned over adding this, just raising an observation
/retest |
@@ -67,6 +67,11 @@ spec: | |||
hours, days, and weeks, respectively. | |||
type: string | |||
default: "" | |||
- name: OPTIONAL_SECRET | |||
description: Name of a secret which will be made available to the build | |||
with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Btw, what is the reasoning behind the name OPTIONAL_SECRET?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, the first name I chose was EXTRA_SECRET
. Meaning - it's just an extra secret in addition to the entitlement secret that you can inject into your build.
On reading, I thought that "extra secret" might spuriously convey the idea that the secret was "more secret" than normal secrets - which isn't the intent.
Rather than OPTIONAL_SECRET, we could consider ADDITIONAL_SECRET - or .. any ideas?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ADDITIONAL_SECRET does sound a bit more straightforward.
efa55a3
to
8f493a4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
For posterity, could you describe what immediate use case this is meant to address?
Yes, it's amazing. In this line of this Containerfile the instructlab team is adding a "physically bound" container, embedding it in another container. Upstream, that works as is. In private environments, users need auth to pull that inner image during the build process of the outer image. This is incompatible with hermetic mode. I can imagine a user might someday want to use this in combination with hermetic mode in order to decrypt some content, encrypted at rest, during their build. But, that is an imagined use case - not real. |
The secret is made available only to RUN lines that are invoked with `--mount`, like this: ``` RUN --mount=type=secret,id={secret-name} cat /run/secrets/{secret-name} ``` See https://docs.podman.io/en/latest/markdown/podman-build.1.html#secret-id-id-src-path Signed-off-by: Ralph Bean <[email protected]>
Per review feedback. This is a more straightforward name.
The secret is made available only to RUN lines that are invoked with
--mount
, like this:See https://docs.podman.io/en/latest/markdown/podman-build.1.html#secret-id-id-src-path