Enable docker secrets in the builder as a more secure alternative to build args.

2023-01-18 17:35:36 -05:00
parent 84597e2fcd
commit e516f427cd
4 changed files with 44 additions and 2 deletions
--- a/lib/mrsk/commands/builder/base.rb
+++ b/lib/mrsk/commands/builder/base.rb
@@ -2,6 +2,7 @@ require "mrsk/commands/base"

 class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
  delegate :argumentize, to: Mrsk::Configuration
+  delegate :simple_secretize, to: Mrsk::Configuration

  def pull
    docker :pull, config.absolute_image
@@ -11,8 +12,16 @@ class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
    argumentize "--build-arg", args, redacted: true
  end

+  def build_secrets
+    simple_secretize "--secret", secrets, redacted: true
+  end
+
  private
    def args
      config.builder["args"] || {}
    end
+
+    def secrets
+      config.builder["secrets"] || {}
+    end
 end
--- a/lib/mrsk/configuration.rb
+++ b/lib/mrsk/configuration.rb
@@ -22,6 +22,10 @@ class Mrsk::Configuration
      attributes.flat_map { |k, v| [ argument, redacted ? Mrsk::Utils.redact("#{k}=#{v}") : "#{k}=#{v}" ] }
    end

+    def simple_secretize(secret, attributes, redacted: false)
+      attributes.flat_map { |k, v| [ secret, redacted ? Mrsk::Utils.redact("id=#{k}") : "id=#{k}" ] }
+    end
+
    private
      def load_config_file(file)
        if file.exist?
@@ -137,7 +141,7 @@ class Mrsk::Configuration

      if config.registry["username"].blank?
        raise ArgumentError, "You must specify a username for the registry in config/deploy.yml"
-      end      
+      end

      if config.registry["password"].blank?
        raise ArgumentError, "You must specify a password for the registry in config/deploy.yml (or set the ENV variable if that's used)"