From 1e9cf1dff0f1af42607d9521941e08ed07f83316 Mon Sep 17 00:00:00 2001 From: wiehe <28457227+wiehe@users.noreply.github.com> Date: Wed, 20 Sep 2023 11:29:36 +0200 Subject: [PATCH] Pass file secrets to "podman build" via parameter "--secret" to make them available for "RUN --mount=type=secret" statements inside the Dockerfile. Keep using --volume to pass file secrets to "podman run". Signed-off-by: wiehe <28457227+wiehe@users.noreply.github.com> --- podman_compose.py | 41 ++++++--- tests/build_secrets/Dockerfile | 9 ++ tests/build_secrets/docker-compose.yaml | 22 +++++ .../build_secrets/docker-compose.yaml.invalid | 18 ++++ tests/build_secrets/my_secret | 1 + tests/test_podman_compose_build_secrets.py | 90 +++++++++++++++++++ 6 files changed, 171 insertions(+), 10 deletions(-) create mode 100644 tests/build_secrets/Dockerfile create mode 100644 tests/build_secrets/docker-compose.yaml create mode 100644 tests/build_secrets/docker-compose.yaml.invalid create mode 100644 tests/build_secrets/my_secret create mode 100644 tests/test_podman_compose_build_secrets.py diff --git a/podman_compose.py b/podman_compose.py index 52434ff..ed61c35 100755 --- a/podman_compose.py +++ b/podman_compose.py @@ -527,7 +527,11 @@ async def get_mount_args(compose, cnt, volume): return ["--mount", args] -def get_secret_args(compose, cnt, secret): +def get_secret_args(compose, cnt, secret, podman_is_building=False): + """ + podman_is_building: True if we are preparing arguments for an invocation of "podman build" + False if we are preparing for something else like "podman run" + """ secret_name = secret if is_str(secret) else secret.get("source", None) if not secret_name or secret_name not in compose.declared_secrets.keys(): raise ValueError(f'ERROR: undeclared secret: "{secret}", service: {cnt["_service"]}') @@ -543,16 +547,33 @@ def get_secret_args(compose, cnt, secret): mode = None if is_str(secret) else secret.get("mode", None) if source_file: - if not target: - dest_file = f"/run/secrets/{secret_name}" - elif not target.startswith("/"): - sec = target if target else secret_name - dest_file = f"/run/secrets/{sec}" - else: - dest_file = target + # assemble path for source file first, because we need it for all cases basedir = compose.dirname source_file = os.path.realpath(os.path.join(basedir, os.path.expanduser(source_file))) - volume_ref = ["--volume", f"{source_file}:{dest_file}:ro,rprivate,rbind"] + + if podman_is_building: + # pass file secrets to "podman build" with param --secret + if not target: + secret_id = secret_name + elif "/" in target: + raise ValueError( + f'ERROR: Build secret "{secret_name}" has invalid target "{target}". ' + + "(Expected plain filename without directory as target.)" + ) + else: + secret_id = target + volume_ref = ["--secret", f"id={secret_id},src={source_file}"] + else: + # pass file secrets to "podman run" as volumes + if not target: + dest_file = f"/run/secrets/{secret_name}" + elif not target.startswith("/"): + sec = target if target else secret_name + dest_file = f"/run/secrets/{sec}" + else: + dest_file = target + volume_ref = ["--volume", f"{source_file}:{dest_file}:ro,rprivate,rbind"] + if uid or gid or mode: sec = target if target else secret_name log.warning( @@ -2140,7 +2161,7 @@ async def build_one(compose, args, cnt): raise OSError("Dockerfile not found in " + ctx) build_args = ["-f", dockerfile, "-t", cnt["image"]] for secret in build_desc.get("secrets", []): - build_args.extend(get_secret_args(compose, cnt, secret)) + build_args.extend(get_secret_args(compose, cnt, secret, podman_is_building=True)) for tag in build_desc.get("tags", []): build_args.extend(["-t", tag]) if "target" in build_desc: diff --git a/tests/build_secrets/Dockerfile b/tests/build_secrets/Dockerfile new file mode 100644 index 0000000..baae1a5 --- /dev/null +++ b/tests/build_secrets/Dockerfile @@ -0,0 +1,9 @@ +FROM busybox + +RUN --mount=type=secret,required=true,id=build_secret \ + ls -l /run/secrets/ && cat /run/secrets/build_secret + +RUN --mount=type=secret,required=true,id=build_secret,target=/tmp/secret \ + ls -l /run/secrets/ /tmp/ && cat /tmp/secret + +CMD [ 'echo', 'nothing here' ] diff --git a/tests/build_secrets/docker-compose.yaml b/tests/build_secrets/docker-compose.yaml new file mode 100644 index 0000000..73ef2a9 --- /dev/null +++ b/tests/build_secrets/docker-compose.yaml @@ -0,0 +1,22 @@ +version: "3.8" + +services: + test: + image: test + secrets: + - run_secret # implicitly mount to /run/secrets/run_secret + - source: run_secret + target: /tmp/run_secret2 # explicit mount point + + build: + context: . + secrets: + - build_secret # can be mounted in Dockerfile with "RUN --mount=type=secret,id=build_secret" + - source: build_secret + target: build_secret2 # rename to build_secret2 + +secrets: + build_secret: + file: ./my_secret + run_secret: + file: ./my_secret diff --git a/tests/build_secrets/docker-compose.yaml.invalid b/tests/build_secrets/docker-compose.yaml.invalid new file mode 100644 index 0000000..c28c2ec --- /dev/null +++ b/tests/build_secrets/docker-compose.yaml.invalid @@ -0,0 +1,18 @@ +version: "3.8" + +services: + test: + image: test + build: + context: . + secrets: + # invalid target argument + # + # According to https://github.com/compose-spec/compose-spec/blob/master/build.md, target is + # supposed to be the "name of a *file* to be mounted in /run/secrets/". Not a path. + - source: build_secret + target: /build_secret + +secrets: + build_secret: + file: ./my_secret diff --git a/tests/build_secrets/my_secret b/tests/build_secrets/my_secret new file mode 100644 index 0000000..235fe34 --- /dev/null +++ b/tests/build_secrets/my_secret @@ -0,0 +1 @@ +important-secret-is-important diff --git a/tests/test_podman_compose_build_secrets.py b/tests/test_podman_compose_build_secrets.py new file mode 100644 index 0000000..df4bc98 --- /dev/null +++ b/tests/test_podman_compose_build_secrets.py @@ -0,0 +1,90 @@ +# SPDX-License-Identifier: GPL-2.0 + + +"""Test how secrets in files are passed to podman.""" + +import os +import subprocess +import unittest + +from .test_podman_compose import podman_compose_path +from .test_podman_compose import test_path + + +def compose_yaml_path(): + """ "Returns the path to the compose file used for this test module""" + return os.path.join(test_path(), "build_secrets") + + +class TestComposeBuildSecrets(unittest.TestCase): + def test_run_secret(self): + """podman run should receive file secrets as --volume + + See build_secrets/docker-compose.yaml for secret names and mount points (aka targets) + + """ + cmd = ( + "coverage", + "run", + podman_compose_path(), + "--dry-run", + "--verbose", + "-f", + os.path.join(compose_yaml_path(), "docker-compose.yaml"), + "run", + "test", + ) + p = subprocess.run( + cmd, stdout=subprocess.PIPE, check=False, stderr=subprocess.STDOUT, text=True + ) + self.assertEqual(p.returncode, 0) + secret_path = os.path.join(compose_yaml_path(), "my_secret") + self.assertIn(f"--volume {secret_path}:/run/secrets/run_secret:ro,rprivate,rbind", p.stdout) + self.assertIn(f"--volume {secret_path}:/tmp/run_secret2:ro,rprivate,rbind", p.stdout) + + def test_build_secret(self): + """podman build should receive secrets as --secret, so that they can be used inside the + Dockerfile in "RUN --mount=type=secret ..." commands. + + """ + cmd = ( + "coverage", + "run", + podman_compose_path(), + "--dry-run", + "--verbose", + "-f", + os.path.join(compose_yaml_path(), "docker-compose.yaml"), + "build", + ) + p = subprocess.run( + cmd, stdout=subprocess.PIPE, check=False, stderr=subprocess.STDOUT, text=True + ) + self.assertEqual(p.returncode, 0) + secret_path = os.path.join(compose_yaml_path(), "my_secret") + self.assertIn(f"--secret id=build_secret,src={secret_path}", p.stdout) + self.assertIn(f"--secret id=build_secret2,src={secret_path}", p.stdout) + + def test_invalid_build_secret(self): + """build secrets in docker-compose file can only have a target argument without directory + component + + """ + cmd = ( + "coverage", + "run", + podman_compose_path(), + "--dry-run", + "--verbose", + "-f", + os.path.join(compose_yaml_path(), "docker-compose.yaml.invalid"), + "build", + ) + p = subprocess.run( + cmd, stdout=subprocess.PIPE, check=False, stderr=subprocess.STDOUT, text=True + ) + self.assertNotEqual(p.returncode, 0) + self.assertIn( + 'ValueError: ERROR: Build secret "build_secret" has invalid target "/build_secret"', + p.stdout, + )