bake: support compose build secrets

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2025-11-01 00:23:56 +08:00 · 2022-04-14 01:27:55 +02:00
parent 3a90f99635
commit c0f8a8314b
2 changed files with 40 additions and 0 deletions
--- a/bake/compose.go
+++ b/bake/compose.go
@@ -74,6 +74,16 @@ func ParseCompose(dt []byte) (*Config, error) {
 				dockerfilePath := s.Build.Dockerfile
 				dockerfilePathP = &dockerfilePath
 			}
+
+			var secrets []string
+			for _, bs := range s.Build.Secrets {
+				secret, err := composeToBuildkitSecret(bs, cfg.Secrets[bs.Source])
+				if err != nil {
+					return nil, err
+				}
+				secrets = append(secrets, secret)
+			}
+
 			g.Targets = append(g.Targets, s.Name)
 			t := &Target{
 				Name:       s.Name,
@@ -89,6 +99,7 @@ func ParseCompose(dt []byte) (*Config, error) {
 				})),
 				CacheFrom:   s.Build.CacheFrom,
 				NetworkMode: &s.Build.Network,
+				Secrets:     secrets,
 			}
 			if err = t.composeExtTarget(s.Build.Extensions); err != nil {
 				return nil, err
@@ -209,3 +220,21 @@ func (t *Target) composeExtTarget(exts map[string]interface{}) error {
 	}
 	return nil
 }
+
+// composeToBuildkitSecret converts secret from compose format to buildkit's
+// csv format.
+func composeToBuildkitSecret(inp compose.ServiceSecretConfig, psecret compose.SecretConfig) (string, error) {
+	if psecret.External.External {
+		return "", errors.Errorf("unsupported external secret %s", psecret.Name)
+	}
+
+	var bkattrs []string
+	if inp.Source != "" {
+		bkattrs = append(bkattrs, "id="+inp.Source)
+	}
+	if psecret.File != "" {
+		bkattrs = append(bkattrs, "src="+psecret.File)
+	}
+
+	return strings.Join(bkattrs, ","), nil
+}
--- a/bake/compose_test.go
+++ b/bake/compose_test.go
@@ -23,6 +23,13 @@ services:
        none
      args:
        buildno: 123
+      secrets:
+        - ENV_TOKEN
+        - aws
+secrets:
+  ENV_TOKEN: {}
+  aws:
+    file: /root/.aws/credentials
 `)

 	c, err := ParseCompose(dt)
@@ -46,6 +53,10 @@ services:
 	require.Equal(t, 1, len(c.Targets[1].Args))
 	require.Equal(t, "123", c.Targets[1].Args["buildno"])
 	require.Equal(t, "none", *c.Targets[1].NetworkMode)
+	require.Equal(t, []string{
+		"id=ENV_TOKEN",
+		"id=aws,src=/root/.aws/credentials",
+	}, c.Targets[1].Secrets)
 }

 func TestNoBuildOutOfTreeService(t *testing.T) {