Merge pull request docker#9615 from glours/use-env-secret-on-build

add support of environment secret during build step

Author: glours

pkg/compose/build.go

@@ -256,23 +256,11 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 	}
 
 	if len(service.Build.Secrets) > 0 {
-		var sources []secretsprovider.Source
-		for _, secret := range service.Build.Secrets {
-			config := project.Secrets[secret.Source]
-			if config.File == "" {
-				return build.Options{}, fmt.Errorf("build.secrets only supports file-based secrets: %q", secret.Source)
-			}
-			sources = append(sources, secretsprovider.Source{
-				ID:       secret.Source,
-				FilePath: config.File,
-			})
-		}
-		store, err := secretsprovider.NewStore(sources)
+		secretsProvider, err := addSecretsConfig(project, service, sessionConfig)
 		if err != nil {
 			return build.Options{}, err
 		}
-		p := secretsprovider.NewSecretProvider(store)
-		sessionConfig = append(sessionConfig, p)
+		sessionConfig = append(sessionConfig, secretsProvider)
 	}
 
 	if len(service.Build.Tags) > 0 {
@@ -341,3 +329,30 @@ func sshAgentProvider(sshKeys types.SSHConfig) (session.Attachable, error) {
 	}
 	return sshprovider.NewSSHAgentProvider(sshConfig)
 }
+
+func addSecretsConfig(project *types.Project, service types.ServiceConfig, sessionConfig []session.Attachable) (session.Attachable, error) {
+
+	var sources []secretsprovider.Source
+	for _, secret := range service.Build.Secrets {
+		config := project.Secrets[secret.Source]
+		switch {
+		case config.File != "":
+			sources = append(sources, secretsprovider.Source{
+				ID:       secret.Source,
+				FilePath: config.File,
+			})
+		case config.Environment != "":
+			sources = append(sources, secretsprovider.Source{
+				ID:  secret.Source,
+				Env: config.Environment,
+			})
+		default:
+			return nil, fmt.Errorf("build.secrets only supports environment or file-based secrets: %q", secret.Source)
+		}
+	}
+	store, err := secretsprovider.NewStore(sources)
+	if err != nil {
+		return nil, err
+	}
+	return secretsprovider.NewSecretProvider(store), nil
+}

pkg/e2e/build_test.go

@@ -176,7 +176,12 @@ func TestBuildSecrets(t *testing.T) {
 		// ensure local test run does not reuse previously build image
 		c.RunDockerOrExitError(t, "rmi", "build-test-secret")
 
-		res := c.RunDockerComposeCmd(t, "--project-directory", "fixtures/build-test/secrets", "build")
+		cmd := c.NewDockerComposeCmd(t, "--project-directory", "fixtures/build-test/secrets", "build")
+
+		res := icmd.RunCmd(cmd, func(cmd *icmd.Cmd) {
+			cmd.Env = append(cmd.Env, "SOME_SECRET=bar")
+		})
+
 		res.Assert(t, icmd.Success)
 	})
 }

pkg/e2e/fixtures/build-test/secrets/Dockerfile

@@ -20,3 +20,7 @@ FROM alpine
 RUN echo "foo" > /tmp/expected
 RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret > /tmp/actual
 RUN diff /tmp/expected /tmp/actual
+
+RUN echo "bar" > /tmp/expected
+RUN --mount=type=secret,id=envsecret cat /run/secrets/envsecret > tmp/actual
+RUN diff --ignore-all-space /tmp/expected /tmp/actual

pkg/e2e/fixtures/build-test/secrets/compose.yml

@@ -5,7 +5,10 @@ services:
       context: .
       secrets:
         - mysecret
+        - envsecret
 
 secrets:
   mysecret:
     file: ./secret.txt
+  envsecret:
+    environment: SOME_SECRET