Support Secrets in Build

[starpebble]

Issue:
Support docker secret, in concourse jobs that build docker images.

Reference:

docker build has a --secret command line argument. It's different than --build-arg
https://docs.docker.com/engine/reference/commandline/build/

Expected result:
A concourse job can pass a map of secrets to the a job. Just like build-args.

Motivation:
Secrets will not show up in docker inspect. build-args will show up in docker inspect. secrets are safe for passwords. build-args are not safe for passwords.

Concourse credential protected values must be valid values for a secret. Then everything is safe.

docker build --secret is supported in: Docker API 1.39+

Example:

build_args:
  DO_THING: true
  HOW_MANY_THINGS: 2
  EMAIL: me@yopmail.com
  CI_BUILD_ID: concourse-$BUILD_ID
secrets:
  PASSWORD: {{secret_password}}

[stec00]

Does anyone know if there is a workaround for this (before this issue is addressed) or is it currently not possible to supply a secret?

[xtremerui]

there is no way to supply a secret now. PR is welcome as docker_buildkit is already an option.

[JasonDictos]

Bump!

[JasonDictos]

Related: #331

[JasonDictos]

I am working on a fix here: #363

[mamachanko]

I understand this is done as of #366.

However, I can't quite figure our how to use it. Say I've got access to ((super-token)) through my vars. How would I provide that to the build of an image through secrets:? It's probably obvious but I fail to connect the dots.

[markrmullan]

I understand this is done as of #366.

However, I can't quite figure our how to use it. Say I've got access to ((super-token)) through my vars. How would I provide that to the build of an image through secrets:? It's probably obvious but I fail to connect the dots.

+1 — I've been trying various combinations of:

secrets:
  <KEY>: ((secret-value))

secrets:
  <ID>:
    <KEY>: ((secret-value))

secrets:
  <ID>:
    <KEY>: ENV_VAR_NAME

and nothing seems to work, despite trying to fit these into what it seems like that structure expects. Any guidance on how secrets: are meant to work with Credential Management?

[xtremerui]

Hi, dynamic vars are not supported in put steps. The only way is through a load_var step, where you load docker secrets from a file first. It will then available to the put step.