Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for docker compose secrets #255

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

add support for docker compose secrets #255

wants to merge 7 commits into from

Conversation

KiaraGrouwstra
Copy link
Contributor

@KiaraGrouwstra KiaraGrouwstra commented Aug 3, 2024
edited
Loading

enables using docker compose secrets from arion, which includes:

unlike #52, i did not so far add support for their long syntax, which despite the confusing documentation appears
limited to Docker Swarm, in my understanding currently limiting its use in Arion.

@KiaraGrouwstra
add support for docker compose secrets
a8b2157 
enables using [docker compose secrets](https://docs.docker.com/compose/use-secrets/)
from arion, which includes:

- [top-level `secrets` element](https://docs.docker.com/compose/compose-file/09-secrets/)
defining the secrets to be used
for the below two use-cases,
exposing them at `/run/secrets/<secret_name>`.
comes in flavors `file` vs `environment`.
- run-time: [`services` top-level `secrets` element](https://docs.docker.com/compose/compose-file/05-services/#secrets)
- build time: [build secrets](https://docs.docker.com/build/building/secrets/)
(to be [mounted](https://docs.docker.com/build/building/secrets/#secret-mounts)
in the `Dockerfile` like
`RUN --mount=type=secret,id=<secret_name> ...`)

unlike hercules-ci#52, i did not so far add support for their
[long syntax](https://docs.docker.com/compose/compose-file/05-services/#long-syntax-4),
which despite the confusing documentation appears
[limited to Docker Swarm](docker/compose#9648 (comment)),
in my understanding limiting its use in Arion.
@KiaraGrouwstra KiaraGrouwstra mentioned this pull request Aug 3, 2024
Draft
@KiaraGrouwstra
Copy link
Contributor Author

KiaraGrouwstra commented Aug 3, 2024
edited
Loading

to make the support for build secrets in the compose file more useful, i'm still trying to figure out how to pass those secret mounts to dockerTools' build steps. those are confusing me a bit right now, as generated images seem to just have a single step (Cmd running an init).
if anyone here would have more of an idea on that, i'd be grateful.

edit: i'm now under the impression the actual nixos config is realized at run-time, meaning for nixos containers we would not currently be able to utilize build secrets' limited secret exposure

edit 2: i think we could set service.image.rawConfig.Run = ["--mount=type=secret,id=foo nixos-rebuild switch"];, but even if that would work (which i'm not confident of), setting service.build.secrets with this PR seems to trigger an arion build error:

failed to solve: failed to read dockerfile: open /home/kiara/.local/share/docker/tmp/buildkit-mount3337376318/Dockerfile: no such file or directory

@KiaraGrouwstra
Copy link
Contributor Author

KiaraGrouwstra commented Aug 3, 2024
edited
Loading

given docker stack/swarm seems to support e.g. secrets' long-syntax (configure secret permissions/ownership) and external secrets i wonder, how have considerations been toward supporting that?

@KiaraGrouwstra KiaraGrouwstra mentioned this pull request Aug 3, 2024
Draft
@aacebedo
Copy link

Is this stil under work? It would be extremely useful.

@KiaraGrouwstra
Copy link
Contributor Author

@aacebedo i had not worked on this further, no

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KiaraGrouwstra @aacebedo