resolve secrets based on env var before executing bake

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2025-09-23 17:57:49 +02:00 · 2025-09-22 10:31:34 +02:00 · 2025-09-22 10:31:34 +02:00 · 2ca7b96e33
commit 2ca7b96e33
parent a32dc3da72
4 changed files with 34 additions and 4 deletions
--- a/pkg/compose/build_bake.go
+++ b/pkg/compose/build_bake.go
@ -176,6 +176,18 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 		}
 	}
 	// tmpSecrets stores secret set by environment variables, so we don't have to "pollute" bake process's environment
 	tmpSecrets, err := os.MkdirTemp("", "secrets")
 	if err != nil {
 		return nil, err
 	}
 	defer func() {
 		rerr := os.RemoveAll(tmpSecrets)
 		if rerr != nil {
 			logrus.Warnf("Failed to removed temporary secrets directory %s: %s", tmpSecrets, rerr.Error())
 		}
 	}()
 	for serviceName, service := range project.Services {
 		if service.Build == nil {
 			continue
@ -231,6 +243,11 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 		noCache := service.Build.NoCache || options.NoCache
 		target := targets[serviceName]
 		secrets, err := toBakeSecrets(project, build.Secrets, tmpSecrets)
 		if err != nil {
 			return nil, err
 		}
 		cfg.Targets[target] = bakeTarget{
 			Context:          build.Context,
 			Contexts:         additionalContexts(build.AdditionalContexts, targets),
@ -245,7 +262,7 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 			NetworkMode:  build.Network,
 			Platforms:    build.Platforms,
 			Target:       build.Target,
-			Secrets:      toBakeSecrets(project, build.Secrets),
+			Secrets:      secrets,
 			SSH:          toBakeSSH(append(build.SSH, options.SSHs...)),
 			Pull:         pull,
 			NoCache:      noCache,
@ -454,7 +471,7 @@ func toBakeSSH(ssh types.SSHConfig) []string {
 	return s
 }
-func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig) []string {
+func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig, tmpSecrets string) ([]string, error) {
 	var s []string
 	for _, ref := range secrets {
 		def := project.Secrets[ref.Source]
@ -464,12 +481,17 @@ func toBakeSecrets(project *types.Project, secrets []types.ServiceSecretConfig)
 		}
 		switch {
 		case def.Environment != "":
-			s = append(s, fmt.Sprintf("id=%s,type=env,env=%s", target, def.Environment))
+			sf := filepath.Join(tmpSecrets, def.Environment)
 			err := os.WriteFile(sf, []byte(project.Environment[def.Environment]), 0o600)
 			if err != nil {
 				return nil, err
 			}
 			s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, sf))
 		case def.File != "":
 			s = append(s, fmt.Sprintf("id=%s,type=file,src=%s", target, def.File))
 		}
 	}
-	return s
+	return s, nil
 }
 func toBakeAttest(build types.BuildConfig) []string {
--- a/pkg/e2e/fixtures/build-test/secrets/.env
+++ b/pkg/e2e/fixtures/build-test/secrets/.env
@ -0,0 +1 @@
 ANOTHER_SECRET=zot
--- a/pkg/e2e/fixtures/build-test/secrets/Dockerfile
+++ b/pkg/e2e/fixtures/build-test/secrets/Dockerfile
@ -24,3 +24,7 @@ RUN diff /tmp/expected /tmp/actual
 RUN echo "bar" > /tmp/expected
 RUN --mount=type=secret,id=build_secret cat /run/secrets/build_secret > tmp/actual
 RUN diff --ignore-all-space /tmp/expected /tmp/actual
 RUN echo "zot" > /tmp/expected
 RUN --mount=type=secret,id=dotenvsecret cat /run/secrets/dotenvsecret > tmp/actual
 RUN diff --ignore-all-space /tmp/expected /tmp/actual
--- a/pkg/e2e/fixtures/build-test/secrets/compose.yml
+++ b/pkg/e2e/fixtures/build-test/secrets/compose.yml
@ -5,6 +5,7 @@ services:
      context: .
      secrets:
        - mysecret
        - dotenvsecret
        - source: envsecret
          target: build_secret
@ -13,3 +14,5 @@ secrets:
    file: ./secret.txt
  envsecret:
    environment: SOME_SECRET
  dotenvsecret:
    environment: ANOTHER_SECRET