Skip to content

Commit 8af0d39

Browse files
ndeloofndeloof
committed
pass bake secrets by env
Signed-off-by: Nicolas De Loof <[email protected]>
1 parent 8978c10 commit 8af0d39

File tree

1 file changed

+10
-24
lines changed

1 file changed

+10
-24
lines changed

pkg/compose/build_bake.go

Lines changed: 10 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -176,18 +176,7 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
176176
}
177177
}
178178

179-
// tmpSecrets stores secret set by environment variables, so we don't have to "pollute" bake process's environment
180-
tmpSecrets, err := os.MkdirTemp("", "secrets")
181-
if err != nil {
182-
return nil, err
183-
}
184-
defer func() {
185-
rerr := os.RemoveAll(tmpSecrets)
186-
if rerr != nil {
187-
logrus.Warnf("Failed to removed temporary secrets directory %s: %s", tmpSecrets, rerr.Error())
188-
}
189-
}()
190-
179+
var secretsEnv []string
191180
for serviceName, service := range project.Services {
192181
if service.Build == nil {
193182
continue
@@ -244,10 +233,9 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
244233

245234
target := targets[serviceName]
246235

247-
secrets, err := toBakeSecrets(project, build.Secrets, tmpSecrets)
248-
if err != nil {
249-
return nil, err
250-
}
236+
secrets, env := toBakeSecrets(project, build.Secrets)
237+
secretsEnv = append(secretsEnv, env...)
238+
251239
cfg.Targets[target] = bakeTarget{
252240
Context: build.Context,
253241
Contexts: additionalContexts(build.AdditionalContexts, targets),
@@ -357,6 +345,7 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
357345
return nil, err
358346
}
359347
cmd.Env = append(cmd.Env, endpoint...)
348+
cmd.Env = append(cmd.Env, secretsEnv...)
360349
defer cleanup()
361350

362351
cmd.Stdout = s.stdout()
@@ -471,8 +460,9 @@ func toBakeSSH(ssh types.SSHConfig) []string {
471460
return s
472461
}
473462

474-
func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig, tmpSecrets string) ([]string, error) {
463+
func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig) ([]string, []string) {
475464
var s []string
465+
var env []string
476466
for _, ref := range secrets {
477467
def := project.Secrets[ref.Source]
478468
target := ref.Target
@@ -481,17 +471,13 @@ func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig,
481471
}
482472
switch {
483473
case def.Environment != "":
484-
sf := filepath.Join(tmpSecrets, def.Environment)
485-
err := os.WriteFile(sf, []byte(project.Environment[def.Environment]), 0o600)
486-
if err != nil {
487-
return nil, err
488-
}
489-
s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, sf))
474+
env = append(env, fmt.Sprintf("%s=%s", def.Environment, project.Environment[def.Environment]))
475+
s = append(s, fmt.Sprintf("id=%s,type=env,env=%s", target, def.Environment))
490476
case def.File != "":
491477
s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, def.File))
492478
}
493479
}
494-
return s, nil
480+
return s, env
495481
}
496482

497483
func toBakeAttest(build types.BuildConfig) []string {

0 commit comments

Comments
 (0)