Merge pull request #567 from tonistiigi/dockerfile-secrets
dockerfile: implement secret type mountsdocker-18.09
commit
a6e6f3fd09
|
@ -0,0 +1,13 @@
|
|||
// +build dfrunmount,!dfsecrets
|
||||
|
||||
package dockerfile2llb
|
||||
|
||||
import (
|
||||
"github.com/moby/buildkit/client/llb"
|
||||
"github.com/moby/buildkit/frontend/dockerfile/instructions"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
|
||||
return nil, errors.Errorf("secret mounts not allowed")
|
||||
}
|
|
@ -57,6 +57,14 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*
|
|||
st = llb.Scratch()
|
||||
mountOpts = append(mountOpts, llb.Tmpfs())
|
||||
}
|
||||
if mount.Type == instructions.MountTypeSecret {
|
||||
secret, err := dispatchSecret(mount)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
out = append(out, secret)
|
||||
continue
|
||||
}
|
||||
if mount.ReadOnly {
|
||||
mountOpts = append(mountOpts, llb.Readonly)
|
||||
}
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
// +build dfsecrets dfextall
|
||||
|
||||
package dockerfile2llb
|
||||
|
||||
import (
|
||||
"path"
|
||||
|
||||
"github.com/moby/buildkit/client/llb"
|
||||
"github.com/moby/buildkit/frontend/dockerfile/instructions"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func dispatchSecret(m *instructions.Mount) (llb.RunOption, error) {
|
||||
id := m.CacheID
|
||||
if m.Source != "" {
|
||||
id = m.Source
|
||||
}
|
||||
|
||||
if id == "" {
|
||||
if m.Target == "" {
|
||||
return nil, errors.Errorf("one of source, target required")
|
||||
}
|
||||
id = path.Base(m.Target)
|
||||
}
|
||||
|
||||
target := m.Target
|
||||
if target == "" {
|
||||
target = "/run/secrets/" + path.Base(id)
|
||||
}
|
||||
|
||||
return llb.AddSecret(target, llb.SecretID(id)), nil
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
// +build !dfsecrets
|
||||
|
||||
package instructions
|
||||
|
||||
func isSecretMountsSupported() bool {
|
||||
return false
|
||||
}
|
|
@ -13,11 +13,13 @@ import (
|
|||
const MountTypeBind = "bind"
|
||||
const MountTypeCache = "cache"
|
||||
const MountTypeTmpfs = "tmpfs"
|
||||
const MountTypeSecret = "secret"
|
||||
|
||||
var allowedMountTypes = map[string]struct{}{
|
||||
MountTypeBind: {},
|
||||
MountTypeCache: {},
|
||||
MountTypeTmpfs: {},
|
||||
MountTypeSecret: {},
|
||||
}
|
||||
|
||||
const MountSharingShared = "shared"
|
||||
|
@ -40,6 +42,11 @@ func init() {
|
|||
}
|
||||
|
||||
func isValidMountType(s string) bool {
|
||||
if s == "secret" {
|
||||
if !isSecretMountsSupported() {
|
||||
return false
|
||||
}
|
||||
}
|
||||
_, ok := allowedMountTypes[s]
|
||||
return ok
|
||||
}
|
||||
|
@ -177,5 +184,20 @@ func parseMount(value string) (*Mount, error) {
|
|||
return nil, errors.Errorf("invalid cache sharing set for %v mount", m.Type)
|
||||
}
|
||||
|
||||
if m.Type == MountTypeSecret {
|
||||
if m.From != "" {
|
||||
return nil, errors.Errorf("secret mount should not have a from")
|
||||
}
|
||||
if m.CacheSharing != "" {
|
||||
return nil, errors.Errorf("secret mount should not define sharing")
|
||||
}
|
||||
if m.Source == "" && m.Target == "" && m.CacheID == "" {
|
||||
return nil, errors.Errorf("invalid secret mount. one of source, target required")
|
||||
}
|
||||
if m.Source != "" && m.CacheID != "" {
|
||||
return nil, errors.Errorf("both source and id can't be set")
|
||||
}
|
||||
}
|
||||
|
||||
return m, nil
|
||||
}
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
// +build dfsecrets dfextall
|
||||
|
||||
package instructions
|
||||
|
||||
func isSecretMountsSupported() bool {
|
||||
return true
|
||||
}
|
Loading…
Reference in New Issue