Implement RUN secrets for buildah bud

define/build.go

@@ -69,6 +69,8 @@ type CommonBuildOptions struct {
 	Ulimit []string
 	// Volumes to bind mount into the container
 	Volumes []string
+	// Secrets are the available secrets to use in a build
+	Secrets []string
 }
 
 // BuildOptions can be used to alter how an image is built.

docs/buildah-bud.md

@@ -465,6 +465,15 @@ consult the manpages of the selected container runtime.
 Note: Do not pass the leading `--` to the flag. To pass the runc flag `--log-format json`
 to buildah bud, the option given would be `--runtime-flag log-format=json`.
 
+**--secret**=**id=id,src=path**
+Pass secret information to be used in the Containerfile for building images
+in a safe way that will not end up stored in the final image, or be seen in other stages.
+The secret will be mounted in the container at the default location of `/run/secrets/id`.
+
+To later use the secret, use the --mount flag in a `RUN` instruction within a `Containerfile`:
+
+`RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret`
+
 **--security-opt**=[]
 
 Security Options

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d
 	github.com/opencontainers/runtime-tools v0.9.0
 	github.com/opencontainers/selinux v1.8.0
-	github.com/openshift/imagebuilder v1.2.1
+	github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656
 	github.com/pkg/errors v0.9.1
 	github.com/seccomp/libseccomp-golang v0.9.2-0.20200616122406-847368b35ebf
 	github.com/sirupsen/logrus v1.8.1

go.sum

@@ -559,8 +559,8 @@ github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pK
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9PDLDY7KM=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
-github.com/openshift/imagebuilder v1.2.1 h1:RuusdjNhFRSHXisuEkzdNmn3s+qJby+xfQ+KLtASuTw=
-github.com/openshift/imagebuilder v1.2.1/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
+github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656 h1:WaxyNFpmIDu4i6so9r6LVFIbSaXqsj8oitMitt86ae4=
+github.com/openshift/imagebuilder v1.2.2-0.20210415181909-87f3e48c2656/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
 github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 h1:TnbXhKzrTOyuvWrjI8W6pcoI9XPbLHFXCdN2dtUw7Rw=
 github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=

imagebuildah/executor.go

@@ -119,6 +119,7 @@ type Executor struct {
 	imageInfoCache                 map[string]imageTypeAndHistoryAndDiffIDs
 	fromOverride                   string
 	manifest                       string
+	secrets                        map[string]string
 }
 
 type imageTypeAndHistoryAndDiffIDs struct {
@@ -166,6 +167,11 @@ func NewExecutor(store storage.Store, options define.BuildOptions, mainNode *par
 		transientMounts = append([]Mount{Mount(mount)}, transientMounts...)
 	}
 
+	secrets, err := parse.Secrets(options.CommonBuildOpts.Secrets)
+	if err != nil {
+		return nil, err
+	}
+
 	jobs := 1
 	if options.Jobs != nil {
 		jobs = *options.Jobs
@@ -236,6 +242,7 @@ func NewExecutor(store storage.Store, options define.BuildOptions, mainNode *par
 		imageInfoCache:                 make(map[string]imageTypeAndHistoryAndDiffIDs),
 		fromOverride:                   options.From,
 		manifest:                       options.Manifest,
+		secrets:                        secrets,
 	}
 	if exec.err == nil {
 		exec.err = os.Stderr

imagebuildah/stage_executor.go

@@ -411,6 +411,8 @@ func (s *StageExecutor) Run(run imagebuilder.Run, config docker.Config) error {
 		Quiet:            s.executor.quiet,
 		NamespaceOptions: s.executor.namespaceOptions,
 		Terminal:         buildah.WithoutTerminal,
+		Secrets:          s.executor.secrets,
+		RunMounts:        run.Mounts,
 	}
 	if config.NetworkDisabled {
 		options.ConfigureNetwork = buildah.NetworkDisabled

pkg/cli/common.go

@@ -75,6 +75,7 @@ type BudResults struct {
 	Rm                  bool
 	Runtime             string
 	RuntimeFlags        []string
+	Secrets             []string
 	SignaturePolicy     string
 	SignBy              string
 	Squash              bool
@@ -207,6 +208,7 @@ func GetBudFlags(flags *BudResults) pflag.FlagSet {
 	fs.BoolVar(&flags.Rm, "rm", true, "Remove intermediate containers after a successful build")
 	// "runtime" definition moved to avoid name collision in podman build.  Defined in cmd/buildah/bud.go.
 	fs.StringSliceVar(&flags.RuntimeFlags, "runtime-flag", []string{}, "add global flags for the container runtime")
+	fs.StringArrayVar(&flags.Secrets, "secret", []string{}, "secret file to expose to the build")
 	fs.StringVar(&flags.SignBy, "sign-by", "", "sign the image using a GPG key with the specified `FINGERPRINT`")
 	fs.StringVar(&flags.SignaturePolicy, "signature-policy", "", "`pathname` of signature policy file (not usually used)")
 	if err := fs.MarkHidden("signature-policy"); err != nil {
@@ -245,6 +247,7 @@ func GetBudFlagsCompletions() commonComp.FlagCompletions {
 	flagCompletion["os"] = commonComp.AutocompleteNone
 	flagCompletion["platform"] = commonComp.AutocompleteNone
 	flagCompletion["runtime-flag"] = commonComp.AutocompleteNone
+	flagCompletion["secret"] = commonComp.AutocompleteNone
 	flagCompletion["sign-by"] = commonComp.AutocompleteNone
 	flagCompletion["signature-policy"] = commonComp.AutocompleteNone
 	flagCompletion["tag"] = commonComp.AutocompleteNone

pkg/parse/parse.go

@@ -125,6 +125,8 @@ func CommonBuildOptions(c *cobra.Command) (*define.CommonBuildOptions, error) {
 		ulimit, _ = c.Flags().GetStringSlice("ulimit")
 	}
 
+	secrets, _ := c.Flags().GetStringArray("secret")
+
 	commonOpts := &define.CommonBuildOptions{
 		AddHost:      addHost,
 		CPUPeriod:    cpuPeriod,
@@ -142,6 +144,7 @@ func CommonBuildOptions(c *cobra.Command) (*define.CommonBuildOptions, error) {
 		ShmSize:      c.Flag("shm-size").Value.String(),
 		Ulimit:       ulimit,
 		Volumes:      volumes,
+		Secrets:      secrets,
 	}
 	securityOpts, _ := c.Flags().GetStringArray("security-opt")
 	if err := parseSecurityOpts(securityOpts, commonOpts); err != nil {
@@ -1051,3 +1054,37 @@ func GetTempDir() string {
 	}
 	return "/var/tmp"
 }
+
+// Secrets parses the --secret flag
+func Secrets(secrets []string) (map[string]string, error) {
+	parsed := make(map[string]string)
+	invalidSyntax := errors.Errorf("incorrect secret flag format: should be --secret id=foo,src=bar")
+	for _, secret := range secrets {
+		split := strings.Split(secret, ",")
+		if len(split) > 2 {
+			return nil, invalidSyntax
+		}
+		if len(split) == 2 {
+			id := strings.Split(split[0], "=")
+			src := strings.Split(split[1], "=")
+			if len(split) == 2 && strings.ToLower(id[0]) == "id" && strings.ToLower(src[0]) == "src" {
+				fullPath, err := filepath.Abs(src[1])
+				if err != nil {
+					return nil, err
+				}
+				_, err = os.Stat(fullPath)
+				if err == nil {
+					parsed[id[1]] = fullPath
+				}
+				if err != nil {
+					return nil, errors.Wrap(err, "could not parse secrets")
+				}
+			} else {
+				return nil, invalidSyntax
+			}
+		} else {
+			return nil, invalidSyntax
+		}
+	}
+	return parsed, nil
+}

run.go

@@ -134,4 +134,9 @@ type RunOptions struct {
 	DropCapabilities []string
 	// Devices are the additional devices to add to the containers
 	Devices define.ContainerDevices
+	// Secrets are the available secrets to use in a RUN
+	Secrets map[string]string
+	// RunMounts are mounts for this run. RunMounts for this run
+	// will not show up in subsequent runs.
+	RunMounts []string
 }