feat: add buildah param to inject secrets into the build

The secret is made available only to RUN lines that are invoked with `--mount`, like this: ``` RUN --mount=type=secret,id={secret-name} cat /run/secrets/{secret-name} ``` See https://docs.podman.io/en/latest/markdown/podman-build.1.html#secret-id-id-src-path Signed-off-by: Ralph Bean <[email protected]>
konflux-ci · Jul 1, 2024 · 93778de · 93778de
1 parent 0d1223c
commit 93778de
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -71,6 +71,10 @@ spec:
     description: Name of secret which contains the entitlement certificates
     type: string
     default: "etc-pki-entitlement"
+  - name: OPTIONAL_SECRET
+    description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET
+    type: string
+    default: ""
   - name: BUILD_ARGS
     description: Array of --build-arg values ("arg=value" strings)
     type: array
@@ -137,6 +141,8 @@ spec:
       value: $(params.BUILDER_IMAGE)
     - name: ENTITLEMENT_SECRET
       value: $(params.ENTITLEMENT_SECRET)
+    - name: OPTIONAL_SECRET
+      value: $(params.OPTIONAL_SECRET)
     - name: BUILD_ARGS_FILE
       value: $(params.BUILD_ARGS_FILE)
     - name: ADD_CAPABILITIES
@@ -276,6 +282,13 @@ spec:
         echo "Adding the entitlement to the build"
       fi
 
+      OPTIONAL_SECRET_PATH="/optional-secret"
+      if [ -d "$OPTIONAL_SECRET_PATH" ]; then
+        cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret
+        BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret")
+        echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}"
+      fi
+
       unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
         $VOLUME_MOUNTS \
         "${BUILDAH_ARGS[@]}" \
@@ -313,6 +326,8 @@ spec:
       name: varlibcontainers
     - mountPath: "/entitlement"
       name: etc-pki-entitlement
+    - mountPath: "/optional-secret"
+      name: optional-secret
     - name: trusted-ca
       mountPath: /mnt/trusted-ca
       readOnly: true
@@ -495,6 +510,10 @@ spec:
     secret:
       secretName: $(params.ENTITLEMENT_SECRET)
       optional: true
+  - name: optional-secret
+    secret:
+      secretName: $(params.OPTIONAL_SECRET)
+      optional: true
   - name: trusted-ca
     configMap:
       name: $(params.caTrustConfigMapName)