Skip to content

Commit 33942c6

Browse files
ndeloofndeloof
committed
pass bake secrets by env
Signed-off-by: Nicolas De Loof <[email protected]>
1 parent 8978c10 commit 33942c6

File tree

1 file changed

+11
-21
lines changed

1 file changed

+11
-21
lines changed

pkg/compose/build_bake.go

Lines changed: 11 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -176,18 +176,7 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
176176
}
177177
}
178178

179-
// tmpSecrets stores secret set by environment variables, so we don't have to "pollute" bake process's environment
180-
tmpSecrets, err := os.MkdirTemp("", "secrets")
181-
if err != nil {
182-
return nil, err
183-
}
184-
defer func() {
185-
rerr := os.RemoveAll(tmpSecrets)
186-
if rerr != nil {
187-
logrus.Warnf("Failed to removed temporary secrets directory %s: %s", tmpSecrets, rerr.Error())
188-
}
189-
}()
190-
179+
var secretsEnv []string
191180
for serviceName, service := range project.Services {
192181
if service.Build == nil {
193182
continue
@@ -244,10 +233,12 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
244233

245234
target := targets[serviceName]
246235

247-
secrets, err := toBakeSecrets(project, build.Secrets, tmpSecrets)
236+
secrets, env, err := toBakeSecrets(project, build.Secrets)
248237
if err != nil {
249238
return nil, err
250239
}
240+
secretsEnv = append(secretsEnv, env...)
241+
251242
cfg.Targets[target] = bakeTarget{
252243
Context: build.Context,
253244
Contexts: additionalContexts(build.AdditionalContexts, targets),
@@ -357,6 +348,7 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
357348
return nil, err
358349
}
359350
cmd.Env = append(cmd.Env, endpoint...)
351+
cmd.Env = append(cmd.Env, secretsEnv...)
360352
defer cleanup()
361353

362354
cmd.Stdout = s.stdout()
@@ -471,8 +463,9 @@ func toBakeSSH(ssh types.SSHConfig) []string {
471463
return s
472464
}
473465

474-
func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig, tmpSecrets string) ([]string, error) {
466+
func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig) ([]string, []string, error) {
475467
var s []string
468+
var env []string
476469
for _, ref := range secrets {
477470
def := project.Secrets[ref.Source]
478471
target := ref.Target
@@ -481,17 +474,14 @@ func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig,
481474
}
482475
switch {
483476
case def.Environment != "":
484-
sf := filepath.Join(tmpSecrets, def.Environment)
485-
err := os.WriteFile(sf, []byte(project.Environment[def.Environment]), 0o600)
486-
if err != nil {
487-
return nil, err
488-
}
489-
s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, sf))
477+
sec := project.Environment[def.Environment]
478+
env = append(env, fmt.Sprintf("%s=%s", target, sec))
479+
s = append(s, fmt.Sprintf("id=%s,type=env,env=%s", target, def.Environment))
490480
case def.File != "":
491481
s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, def.File))
492482
}
493483
}
494-
return s, nil
484+
return s, env, nil
495485
}
496486

497487
func toBakeAttest(build types.BuildConfig) []string {

0 commit comments

Comments
 (0)