Enable docker secrets in the builder as a more secure alternative to build args.

This commit is contained in:
Nathan Anderson
2023-01-18 17:35:36 -05:00
parent 84597e2fcd
commit e516f427cd
4 changed files with 44 additions and 2 deletions

View File

@@ -2,6 +2,7 @@ require "mrsk/commands/base"
class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
delegate :argumentize, to: Mrsk::Configuration
delegate :simple_secretize, to: Mrsk::Configuration
def pull
docker :pull, config.absolute_image
@@ -11,8 +12,16 @@ class Mrsk::Commands::Builder::Base < Mrsk::Commands::Base
argumentize "--build-arg", args, redacted: true
end
def build_secrets
simple_secretize "--secret", secrets, redacted: true
end
private
def args
config.builder["args"] || {}
end
def secrets
config.builder["secrets"] || {}
end
end

View File

@@ -22,6 +22,10 @@ class Mrsk::Configuration
attributes.flat_map { |k, v| [ argument, redacted ? Mrsk::Utils.redact("#{k}=#{v}") : "#{k}=#{v}" ] }
end
def simple_secretize(secret, attributes, redacted: false)
attributes.flat_map { |k, v| [ secret, redacted ? Mrsk::Utils.redact("id=#{k}") : "id=#{k}" ] }
end
private
def load_config_file(file)
if file.exist?
@@ -137,7 +141,7 @@ class Mrsk::Configuration
if config.registry["username"].blank?
raise ArgumentError, "You must specify a username for the registry in config/deploy.yml"
end
end
if config.registry["password"].blank?
raise ArgumentError, "You must specify a password for the registry in config/deploy.yml (or set the ENV variable if that's used)"