Merge pull request moby#3561 from coryb/issue-3521

do not mount secrets that are optional and missing from solve opts

Author: tonistiigi

client/client_test.go

@@ -1139,9 +1139,9 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 	}, nil)
 	require.NoError(t, err)
 
-	// test optional
+	// test optional, mount should not exist when secret not present in SolveOpt
 	st = llb.Image("busybox:latest").
-		Run(llb.Shlex(`echo secret2`), llb.AddSecret("/run/secrets/mysecret2", llb.SecretOptional))
+		Run(llb.Shlex(`test ! -f /run/secrets/mysecret2`), llb.AddSecret("/run/secrets/mysecret2", llb.SecretOptional))
 
 	def, err = st.Marshal(sb.Context())
 	require.NoError(t, err)
@@ -1178,6 +1178,20 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 		})},
 	}, nil)
 	require.NoError(t, err)
+
+	// test empty cert still creates secret file
+	st = llb.Image("busybox:latest").
+		Run(llb.Shlex(`test -f /run/secrets/mysecret5`), llb.AddSecret("/run/secrets/mysecret5", llb.SecretID("mysecret")))
+
+	def, err = st.Marshal(sb.Context())
+	require.NoError(t, err)
+
+	_, err = c.Solve(sb.Context(), def, SolveOpt{
+		Session: []session.Attachable{secretsprovider.FromMap(map[string][]byte{
+			"mysecret": []byte(""),
+		})},
+	}, nil)
+	require.NoError(t, err)
 }
 
 func testSecretEnv(t *testing.T, sb integration.Sandbox) {

solver/llbsolver/mounts/mount.go

@@ -251,14 +251,14 @@ func (mm *MountManager) getSecretMountable(ctx context.Context, m *pb.Mount, g s
 	err = mm.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
 		dt, err = secrets.GetSecret(ctx, caller, id)
 		if err != nil {
-			if errors.Is(err, secrets.ErrNotFound) && m.SecretOpt.Optional {
-				return nil
-			}
 			return err
 		}
 		return nil
 	})
 	if err != nil {
+		if errors.Is(err, secrets.ErrNotFound) && m.SecretOpt.Optional {
+			return nil, nil
+		}
 		return nil, err
 	}
 	return &secretMount{mount: m, data: dt, idmap: mm.cm.IdentityMapping()}, nil