Merge pull request #567 from tonistiigi/dockerfile-secrets

dockerfile: implement secret type mounts

frontend/dockerfile/dockerfile2llb/convert_nosecrets.go

@@ -0,0 +1,13 @@
+// +build dfrunmount,!dfsecrets
+
+package dockerfile2llb
+
+import (
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/pkg/errors"
+)
+
+func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
+	return nil, errors.Errorf("secret mounts not allowed")
+}

frontend/dockerfile/dockerfile2llb/convert_runmount.go

@@ -57,6 +57,14 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*
 			st = llb.Scratch()
 			mountOpts = append(mountOpts, llb.Tmpfs())
 		}
+		if mount.Type == instructions.MountTypeSecret {
+			secret, err := dispatchSecret(mount)
+			if err != nil {
+				return nil, err
+			}
+			out = append(out, secret)
+			continue
+		}
 		if mount.ReadOnly {
 			mountOpts = append(mountOpts, llb.Readonly)
 		}

frontend/dockerfile/dockerfile2llb/convert_secrets.go

@@ -0,0 +1,32 @@
+// +build dfsecrets dfextall
+
+package dockerfile2llb
+
+import (
+	"path"
+
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/pkg/errors"
+)
+
+func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
+	id := m.CacheID
+	if m.Source != "" {
+		id = m.Source
+	}
+
+	if id == "" {
+		if m.Target == "" {
+			return nil, errors.Errorf("one of source, target required")
+		}
+		id = path.Base(m.Target)
+	}
+
+	target := m.Target
+	if target == "" {
+		target = "/run/secrets/" + path.Base(id)
+	}
+
+	return llb.AddSecret(target, llb.SecretID(id)), nil
+}

frontend/dockerfile/instructions/commands_nosecrets.go

@@ -0,0 +1,7 @@
+// +build !dfsecrets
+
+package instructions
+
+func isSecretMountsSupported() bool {
+	return false
+}

frontend/dockerfile/instructions/commands_runmount.go

@@ -13,11 +13,13 @@ import (
 const MountTypeBind = "bind"
 const MountTypeCache = "cache"
 const MountTypeTmpfs = "tmpfs"
+const MountTypeSecret = "secret"
 
 var allowedMountTypes = map[string]struct{}{
-	MountTypeBind:  {},
-	MountTypeCache: {},
-	MountTypeTmpfs: {},
+	MountTypeBind:   {},
+	MountTypeCache:  {},
+	MountTypeTmpfs:  {},
+	MountTypeSecret: {},
 }
 
 const MountSharingShared = "shared"
@@ -40,6 +42,11 @@ func init() {
 }
 
 func isValidMountType(s string) bool {
+	if s == "secret" {
+		if !isSecretMountsSupported() {
+			return false
+		}
+	}
 	_, ok := allowedMountTypes[s]
 	return ok
 }
@@ -177,5 +184,20 @@ func parseMount(value string) (*Mount, error) {
 		return nil, errors.Errorf("invalid cache sharing set for %v mount", m.Type)
 	}
 
+	if m.Type == MountTypeSecret {
+		if m.From != "" {
+			return nil, errors.Errorf("secret mount should not have a from")
+		}
+		if m.CacheSharing != "" {
+			return nil, errors.Errorf("secret mount should not define sharing")
+		}
+		if m.Source == "" && m.Target == "" && m.CacheID == "" {
+			return nil, errors.Errorf("invalid secret mount. one of source, target required")
+		}
+		if m.Source != "" && m.CacheID != "" {
+			return nil, errors.Errorf("both source and id can't be set")
+		}
+	}
+
 	return m, nil
 }

frontend/dockerfile/instructions/commands_secrets.go

@@ -0,0 +1,7 @@
+// +build dfsecrets dfextall
+
+package instructions
+
+func isSecretMountsSupported() bool {
+	return true
+}