summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--pkg/api/handlers/compat/images_build.go23
-rw-r--r--pkg/bindings/images/build.go61
-rw-r--r--test/e2e/build/Dockerfile.with-multiple-secret3
-rw-r--r--test/e2e/build/Dockerfile.with-secret2
-rw-r--r--test/e2e/build/anothersecret.txt1
-rw-r--r--test/e2e/build/secret.txt1
-rw-r--r--test/e2e/build_test.go23
7 files changed, 106 insertions, 8 deletions
diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go
index 18f9dc98b..200d72192 100644
--- a/pkg/api/handlers/compat/images_build.go
+++ b/pkg/api/handlers/compat/images_build.go
@@ -247,7 +247,28 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
utils.BadRequest(w, "secrets", query.Secrets, err)
return
}
- secrets = m
+
+ // for podman-remote all secrets must be picked from context director
+ // hence modify src so contextdir is added as prefix
+
+ for _, secret := range m {
+ secretOpt := strings.Split(secret, ",")
+ if len(secretOpt) > 0 {
+ modifiedOpt := []string{}
+ for _, token := range secretOpt {
+ arr := strings.SplitN(token, "=", 2)
+ if len(arr) > 1 {
+ if arr[0] == "src" {
+ modifiedSrc := fmt.Sprintf("src=%s", filepath.Join(contextDirectory, arr[1]))
+ modifiedOpt = append(modifiedOpt, modifiedSrc)
+ } else {
+ modifiedOpt = append(modifiedOpt, token)
+ }
+ }
+ }
+ secrets = append(secrets, strings.Join(modifiedOpt[:], ","))
+ }
+ }
}
var output string
diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go
index 9c2e3e6b2..25770fdfc 100644
--- a/pkg/bindings/images/build.go
+++ b/pkg/bindings/images/build.go
@@ -5,6 +5,7 @@ import (
"compress/gzip"
"context"
"encoding/json"
+ "fmt"
"io"
"io/ioutil"
"net/http"
@@ -116,13 +117,6 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO
}
params.Add("dnsservers", c)
}
- if secrets := options.CommonBuildOpts.Secrets; len(secrets) > 0 {
- c, err := jsoniter.MarshalToString(secrets)
- if err != nil {
- return nil, err
- }
- params.Add("secrets", c)
- }
if dnsoptions := options.CommonBuildOpts.DNSOptions; len(dnsoptions) > 0 {
c, err := jsoniter.MarshalToString(dnsoptions)
if err != nil {
@@ -384,6 +378,59 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO
}
params.Set("dockerfile", string(cFileJSON))
}
+
+ // build secrets are usually absolute host path or relative to context dir on host
+ // in any case move secret to current context and ship the tar.
+ if secrets := options.CommonBuildOpts.Secrets; len(secrets) > 0 {
+ secretsForRemote := []string{}
+
+ for _, secret := range secrets {
+ secretOpt := strings.Split(secret, ",")
+ if len(secretOpt) > 0 {
+ modifiedOpt := []string{}
+ for _, token := range secretOpt {
+ arr := strings.SplitN(token, "=", 2)
+ if len(arr) > 1 {
+ if arr[0] == "src" {
+ // read specified secret into a tmp file
+ // move tmp file to tar and change secret source to relative tmp file
+ tmpSecretFile, err := ioutil.TempFile(options.ContextDirectory, "podman-build-secret")
+ if err != nil {
+ return nil, err
+ }
+ defer os.Remove(tmpSecretFile.Name()) // clean up
+ defer tmpSecretFile.Close()
+ srcSecretFile, err := os.Open(arr[1])
+ if err != nil {
+ return nil, err
+ }
+ defer srcSecretFile.Close()
+ _, err = io.Copy(tmpSecretFile, srcSecretFile)
+ if err != nil {
+ return nil, err
+ }
+
+ //add tmp file to context dir
+ tarContent = append(tarContent, tmpSecretFile.Name())
+
+ modifiedSrc := fmt.Sprintf("src=%s", filepath.Base(tmpSecretFile.Name()))
+ modifiedOpt = append(modifiedOpt, modifiedSrc)
+ } else {
+ modifiedOpt = append(modifiedOpt, token)
+ }
+ }
+ }
+ secretsForRemote = append(secretsForRemote, strings.Join(modifiedOpt[:], ","))
+ }
+ }
+
+ c, err := jsoniter.MarshalToString(secretsForRemote)
+ if err != nil {
+ return nil, err
+ }
+ params.Add("secrets", c)
+ }
+
tarfile, err := nTar(append(excludes, dontexcludes...), tarContent...)
if err != nil {
logrus.Errorf("Cannot tar container entries %v error: %v", tarContent, err)
diff --git a/test/e2e/build/Dockerfile.with-multiple-secret b/test/e2e/build/Dockerfile.with-multiple-secret
new file mode 100644
index 000000000..f3478914f
--- /dev/null
+++ b/test/e2e/build/Dockerfile.with-multiple-secret
@@ -0,0 +1,3 @@
+FROM alpine
+RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
+RUN --mount=type=secret,id=mysecret2 cat /run/secrets/mysecret2
diff --git a/test/e2e/build/Dockerfile.with-secret b/test/e2e/build/Dockerfile.with-secret
new file mode 100644
index 000000000..920663a92
--- /dev/null
+++ b/test/e2e/build/Dockerfile.with-secret
@@ -0,0 +1,2 @@
+FROM alpine
+RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
diff --git a/test/e2e/build/anothersecret.txt b/test/e2e/build/anothersecret.txt
new file mode 100644
index 000000000..bc5fdbd32
--- /dev/null
+++ b/test/e2e/build/anothersecret.txt
@@ -0,0 +1 @@
+anothersecret
diff --git a/test/e2e/build/secret.txt b/test/e2e/build/secret.txt
new file mode 100644
index 000000000..d9106c0af
--- /dev/null
+++ b/test/e2e/build/secret.txt
@@ -0,0 +1 @@
+somesecret
diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go
index 420ed929f..ad401ca83 100644
--- a/test/e2e/build_test.go
+++ b/test/e2e/build_test.go
@@ -59,6 +59,29 @@ var _ = Describe("Podman build", func() {
Expect(session).Should(Exit(0))
})
+ It("podman build with a secret from file", func() {
+ session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-secret", "-t", "secret-test", "--secret", "id=mysecret,src=build/secret.txt", "build/"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(ContainSubstring("somesecret"))
+
+ session = podmanTest.Podman([]string{"rmi", "secret-test"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ })
+
+ It("podman build with multiple secrets from files", func() {
+ session := podmanTest.Podman([]string{"build", "-f", "build/Dockerfile.with-multiple-secret", "-t", "multiple-secret-test", "--secret", "id=mysecret,src=build/secret.txt", "--secret", "id=mysecret2,src=build/anothersecret.txt", "build/"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ Expect(session.OutputToString()).To(ContainSubstring("somesecret"))
+ Expect(session.OutputToString()).To(ContainSubstring("anothersecret"))
+
+ session = podmanTest.Podman([]string{"rmi", "multiple-secret-test"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ })
+
It("podman build with logfile", func() {
logfile := filepath.Join(podmanTest.TempDir, "logfile")
session := podmanTest.Podman([]string{"build", "--pull-never", "--tag", "test", "--logfile", logfile, "build/basicalpine"})
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-12-28 17:15:50 +0000