Merge pull request moby#3957 from vito/gw-ctr-secret-env

support passing SecretEnv to gateway containers

Author: tonistiigi

client/build_test.go

@@ -44,6 +44,7 @@ func TestClientGatewayIntegration(t *testing.T) {
 		testClientGatewayContainerPID1Fail,
 		testClientGatewayContainerPID1Exit,
 		testClientGatewayContainerMounts,
+		testClientGatewayContainerSecretEnv,
 		testClientGatewayContainerPID1Tty,
 		testClientGatewayContainerCancelPID1Tty,
 		testClientGatewayContainerExecTty,
@@ -843,6 +844,75 @@ func testClientGatewayContainerMounts(t *testing.T, sb integration.Sandbox) {
 	checkAllReleasable(t, c, sb, true)
 }
 
+func testClientGatewayContainerSecretEnv(t *testing.T, sb integration.Sandbox) {
+	requiresLinux(t)
+
+	ctx := sb.Context()
+
+	c, err := New(ctx, sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	product := "buildkit_test"
+
+	b := func(ctx context.Context, c client.Client) (*client.Result, error) {
+		mounts := map[string]llb.State{
+			"/": llb.Image("busybox:latest"),
+		}
+
+		var containerMounts []client.Mount
+		for mountpoint, st := range mounts {
+			def, err := st.Marshal(ctx)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to marshal state")
+			}
+
+			r, err := c.Solve(ctx, client.SolveRequest{
+				Definition: def.ToPB(),
+			})
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to solve")
+			}
+			containerMounts = append(containerMounts, client.Mount{
+				Dest:      mountpoint,
+				MountType: pb.MountType_BIND,
+				Ref:       r.Ref,
+			})
+		}
+
+		ctr, err := c.NewContainer(ctx, client.NewContainerRequest{Mounts: containerMounts})
+		if err != nil {
+			return nil, err
+		}
+
+		pid, err := ctr.Start(ctx, client.StartRequest{
+			Args: []string{"sh", "-c", "test $SOME_SECRET = foo-secret"},
+			SecretEnv: []*pb.SecretEnv{
+				{
+					ID:   "sekrit",
+					Name: "SOME_SECRET",
+				},
+			},
+		})
+		require.NoError(t, err)
+		err = pid.Wait()
+		require.NoError(t, err)
+
+		return &client.Result{}, ctr.Release(ctx)
+	}
+
+	_, err = c.Build(ctx, SolveOpt{
+		Session: []session.Attachable{
+			secretsprovider.FromMap(map[string][]byte{
+				"sekrit": []byte("foo-secret"),
+			}),
+		},
+	}, product, b, nil)
+	require.NoError(t, err)
+
+	checkAllReleasable(t, c, sb, true)
+}
+
 // testClientGatewayContainerPID1Tty is testing that we can get a tty via
 // a container pid1, executor.Run
 func testClientGatewayContainerPID1Tty(t *testing.T, sb integration.Sandbox) {

frontend/gateway/client/client.go

@@ -71,6 +71,7 @@ type Container interface {
 type StartRequest struct {
 	Args           []string
 	Env            []string
+	SecretEnv      []*pb.SecretEnv
 	User           string
 	Cwd            string
 	Tty            bool

frontend/gateway/container.go

@@ -10,6 +10,7 @@ import (
 	"sync"
 	"syscall"
 
+	"github.com/moby/buildkit/session/secrets"
 	"github.com/moby/buildkit/util/bklog"
 
 	"github.com/moby/buildkit/cache"
@@ -18,6 +19,7 @@ import (
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/solver/llbsolver/mounts"
+	"github.com/moby/buildkit/solver/pb"
 	opspb "github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/stack"
 	utilsystem "github.com/moby/buildkit/util/system"
@@ -61,6 +63,8 @@ func NewContainer(ctx context.Context, w worker.Worker, sm *session.Manager, g s
 		extraHosts: req.ExtraHosts,
 		platform:   platform,
 		executor:   w.Executor(),
+		sm:         sm,
+		group:      g,
 		errGroup:   eg,
 		ctx:        ctx,
 		cancel:     cancel,
@@ -288,6 +292,8 @@ type gatewayContainer struct {
 	rootFS     executor.Mount
 	mounts     []executor.Mount
 	executor   executor.Executor
+	sm         *session.Manager
+	group      session.Group
 	started    bool
 	errGroup   *errgroup.Group
 	mu         sync.Mutex
@@ -296,7 +302,7 @@ type gatewayContainer struct {
 	cancel     func()
 }
 
-func (gwCtr *gatewayContainer) Start(_ context.Context, req client.StartRequest) (client.ContainerProcess, error) {
+func (gwCtr *gatewayContainer) Start(ctx context.Context, req client.StartRequest) (client.ContainerProcess, error) {
 	resize := make(chan executor.WinSize)
 	signal := make(chan syscall.Signal)
 	procInfo := executor.ProcessInfo{
@@ -326,6 +332,12 @@ func (gwCtr *gatewayContainer) Start(_ context.Context, req client.StartRequest)
 		procInfo.Meta.Env = addDefaultEnvvar(procInfo.Meta.Env, "TERM", "xterm")
 	}
 
+	secretEnv, err := gwCtr.loadSecretEnv(ctx, req.SecretEnv)
+	if err != nil {
+		return nil, err
+	}
+	procInfo.Meta.Env = append(procInfo.Meta.Env, secretEnv...)
+
 	// mark that we have started on the first call to execProcess for this
 	// container, so that future calls will call Exec rather than Run
 	gwCtr.mu.Lock()
@@ -365,6 +377,33 @@ func (gwCtr *gatewayContainer) Start(_ context.Context, req client.StartRequest)
 	return gwProc, nil
 }
 
+func (gwCtr *gatewayContainer) loadSecretEnv(ctx context.Context, secretEnv []*pb.SecretEnv) ([]string, error) {
+	out := make([]string, 0, len(secretEnv))
+	for _, sopt := range secretEnv {
+		id := sopt.ID
+		if id == "" {
+			return nil, errors.Errorf("secret ID missing for %q environment variable", sopt.Name)
+		}
+		var dt []byte
+		var err error
+		err = gwCtr.sm.Any(ctx, gwCtr.group, func(ctx context.Context, _ string, caller session.Caller) error {
+			dt, err = secrets.GetSecret(ctx, caller, id)
+			if err != nil {
+				if errors.Is(err, secrets.ErrNotFound) && sopt.Optional {
+					return nil
+				}
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, fmt.Sprintf("%s=%s", sopt.Name, string(dt)))
+	}
+	return out, nil
+}
+
 func (gwCtr *gatewayContainer) Release(ctx context.Context) error {
 	gwCtr.mu.Lock()
 	defer gwCtr.mu.Unlock()

frontend/gateway/gateway.go

@@ -1300,6 +1300,7 @@ func (lbf *llbBridgeForwarder) ExecProcess(srv pb.LLBBridge_ExecProcessServer) e
 				proc, err := ctr.Start(initCtx, gwclient.StartRequest{
 					Args:                      init.Meta.Args,
 					Env:                       init.Meta.Env,
+					SecretEnv:                 init.Secretenv,
 					User:                      init.Meta.User,
 					Cwd:                       init.Meta.Cwd,
 					Tty:                       init.Tty,

frontend/gateway/grpcclient/client.go

@@ -806,13 +806,15 @@ func (c *grpcClient) NewContainer(ctx context.Context, req client.NewContainerRe
 
 	return &container{
 		client:   c.client,
+		caps:     c.caps,
 		id:       id,
 		execMsgs: c.execMsgs,
 	}, nil
 }
 
 type container struct {
 	client   pb.LLBBridgeClient
+	caps     apicaps.CapSet
 	id       string
 	execMsgs *messageForwarder
 }
@@ -821,6 +823,12 @@ func (ctr *container) Start(ctx context.Context, req client.StartRequest) (clien
 	pid := fmt.Sprintf("%s:%s", ctr.id, identity.NewID())
 	msgs := ctr.execMsgs.Register(pid)
 
+	if len(req.SecretEnv) > 0 {
+		if err := ctr.caps.Supports(pb.CapGatewayExecSecretEnv); err != nil {
+			return nil, err
+		}
+	}
+
 	init := &pb.InitMessage{
 		ContainerID: ctr.id,
 		Meta: &opspb.Meta{
@@ -829,8 +837,9 @@ func (ctr *container) Start(ctx context.Context, req client.StartRequest) (clien
 			Cwd:  req.Cwd,
 			User: req.User,
 		},
-		Tty:      req.Tty,
-		Security: req.SecurityMode,
+		Tty:       req.Tty,
+		Security:  req.SecurityMode,
+		Secretenv: req.SecretEnv,
 	}
 	init.Meta.RemoveMountStubsRecursive = req.RemoveMountStubsRecursive
 	if req.Stdin != nil {

frontend/gateway/pb/caps.go

@@ -44,6 +44,10 @@ const (
 	// /etc/hosts for containers created via gateway exec.
 	CapGatewayExecExtraHosts apicaps.CapID = "gateway.exec.extrahosts"
 
+	// CapGatewayExecExtraHosts is the capability to set secrets as env vars for
+	// containers created via gateway exec.
+	CapGatewayExecSecretEnv apicaps.CapID = "gateway.exec.secretenv"
+
 	// CapGatewayExecExtraHosts is the capability to send signals to a process
 	// created via gateway exec.
 	CapGatewayExecSignals apicaps.CapID = "gateway.exec.signals"
@@ -179,6 +183,13 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapGatewayExecSecretEnv,
+		Name:    "gateway exec secret env",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapGatewayExecSignals,
 		Name:    "gateway exec signals",