feat: Add ability to mount secrets

Author: gmpinder

Cargo.lock

@@ -33,6 +33,7 @@ tempfile = "3"
 tokio = { version = "1", features = ["rt", "rt-multi-thread"] }
 users = "0.11"
 uuid = { version = "1", features = ["v4"] }
+zeroize = { version = "1", features = ["aarch64", "derive", "std", "serde"] }
 
 [workspace.lints.rust]
 unsafe_code = "forbid"

Cargo.toml

@@ -4,31 +4,11 @@ PROJECT blue-build/cli
 IMPORT github.com/earthly/lib/utils/dind AS dind
 
 all:
-    BUILD +test-image
-    # BUILD +test-legacy-image
     BUILD +build
     BUILD +switch
     BUILD +validate
-
-test-image:
-    FROM +build-template --src=template-containerfile
-    WORKDIR /tmp/test
-    COPY ./test-scripts/*.sh ./
-
-    DO +RUN_TESTS
-
-test-legacy-image:
-    FROM +build-template --src=template-legacy-containerfile
-    WORKDIR /tmp/test
-    COPY ./test-scripts/*.sh ./
-
-    DO +RUN_TESTS
-
-build-template:
-    ARG --required src
-    FROM DOCKERFILE \
-    -f +$src/test/Containerfile \
-    +$src/test/*
+    BUILD +template-containerfile
+    BUILD +template-legacy-containerfile
 
 template-containerfile:
     FROM +test-base

integration-tests/Earthfile

@@ -1,2 +1,3 @@
 /Containerfile
 /Containerfile.*
+/secrets

integration-tests/test-repo/.gitignore

@@ -77,3 +77,41 @@ modules:
     from: fedora-test
     src: /test.txt
     dest: /
+
+  # Testing secrets
+  - type: script
+    secrets:
+      - type: env
+        name: TEST_SECRET
+    snippets:
+      - '[ "$TEST_SECRET" == "test123" ]'
+  - type: script
+    secrets:
+      - type: file
+        source: ./secrets/test-secret
+        destination: /tmp/test-secret
+    snippets:
+      - '[ "$(cat /tmp/test-secret)" == "321tset" ]'
+  - type: script
+    secrets:
+      - type: exec
+        command: cat
+        args:
+          - ./test_secret_file.txt
+        output:
+          type: env
+          name: TEST_SECRET
+    snippets:
+      - '[ "$TEST_SECRET" == "TEST_PASS" ]'
+  - type: script
+    secrets:
+      - type: exec
+        command: cat
+        args:
+          - ./test_secret_file.txt
+        output:
+          type: file
+          destination: /tmp/test-secret
+    snippets:
+      - '[ "$(cat /tmp/test-secret)" == "TEST_PASS" ]'
+

integration-tests/test-repo/recipes/common.yml

@@ -0,0 +1 @@
+TEST_PASS

integration-tests/test-repo/test_secret_file.txt

@@ -1,5 +1,7 @@
 export RUST_BACKTRACE := "1"
 export BB_CACHE_LAYERS := "true"
+export TEST_SECRET := "test123"
+# export BB_SKIP_VALIDATION := "true"
 
 set dotenv-load := true
 set positional-arguments := true
@@ -133,11 +135,15 @@ cargo_bin := if env('CARGO_HOME', '') != '' {
   x"$HOME/.cargo/bin"
 }
 
+generate-test-secret:
+  mkdir -p integration-tests/test-repo/secrets
+  echo "321tset" > integration-tests/test-repo/secrets/test-secret
+
 # Run all integration tests
-integration-tests: test-docker-build test-empty-files-build test-arm64-build test-podman-build test-buildah-build test-generate-iso-image test-generate-iso-recipe
+integration-tests: generate-test-secret test-docker-build test-empty-files-build test-arm64-build test-podman-build test-buildah-build test-generate-iso-image test-generate-iso-recipe
 
 # Run docker driver integration test
-test-docker-build: install-debug-all-features
+test-docker-build: generate-test-secret install-debug-all-features
   cd integration-tests/test-repo \
   && bluebuild build \
     --retry-push \
@@ -148,7 +154,7 @@ test-docker-build: install-debug-all-features
     -vv \
     recipes/recipe.yml recipes/recipe-gts.yml
 
-test-empty-files-build: install-debug-all-features
+test-empty-files-build: generate-test-secret install-debug-all-features
   cd integration-tests/empty-files-repo \
   && bluebuild build \
     --retry-push \
@@ -158,15 +164,15 @@ test-empty-files-build: install-debug-all-features
     {{ should_push }} \
     -vv
 
-test-rechunk-build: install-debug-all-features
+test-rechunk-build: generate-test-secret install-debug-all-features
   cd integration-tests/test-repo \
   && bluebuild build \
     {{ should_push }} \
     -vv \
     --rechunk \
     recipes/recipe-rechunk.yml
 
-test-fresh-rechunk-build: install-debug-all-features
+test-fresh-rechunk-build: generate-test-secret install-debug-all-features
   cd integration-tests/test-repo \
   && bluebuild build \
     {{ should_push }} \
@@ -176,7 +182,7 @@ test-fresh-rechunk-build: install-debug-all-features
     recipes/recipe-rechunk.yml
 
 # Run arm integration test
-test-arm64-build: install-debug-all-features
+test-arm64-build: generate-test-secret install-debug-all-features
   cd integration-tests/test-repo \
   && bluebuild build \
     --retry-push \
@@ -186,7 +192,7 @@ test-arm64-build: install-debug-all-features
     recipes/recipe-arm64.yml
 
 # Run docker driver external login integration test
-test-docker-build-external-login: install-debug-all-features
+test-docker-build-external-login: generate-test-secret install-debug-all-features
   cd integration-tests/test-repo \
   && bluebuild build \
     --retry-push \
@@ -196,7 +202,7 @@ test-docker-build-external-login: install-debug-all-features
     recipes/recipe-docker-external.yml
 
 # Run podman driver integration test
-test-podman-build: install-debug-all-features
+test-podman-build: generate-test-secret install-debug-all-features
   cd integration-tests/test-repo \
   && bluebuild build \
     --retry-push \
@@ -208,7 +214,7 @@ test-podman-build: install-debug-all-features
     recipes/recipe-podman.yml
 
 # Run buildah driver integration test
-test-buildah-build: install-debug-all-features
+test-buildah-build: generate-test-secret install-debug-all-features
   cd integration-tests/test-repo \
   && bluebuild build \
     --retry-push \
@@ -220,14 +226,14 @@ test-buildah-build: install-debug-all-features
     recipes/recipe-buildah.yml
 
 # Run ISO generator for images
-test-generate-iso-image: install-debug-all-features
+test-generate-iso-image: generate-test-secret install-debug-all-features
   #!/usr/bin/env bash
   set -eu
   ISO_OUT=$(mktemp -d)
   bluebuild generate-iso -vv --output-dir "$ISO_OUT" image ghcr.io/blue-build/cli/test:40
 
 # Run ISO generator for images
-test-generate-iso-recipe: install-debug-all-features
+test-generate-iso-recipe: generate-test-secret install-debug-all-features
   #!/usr/bin/env bash
   set -eu
   ISO_OUT=$(mktemp -d)

justfile

@@ -20,7 +20,6 @@ os_pipe = { version = "1", features = ["io_safety"] }
 rand = "0.9"
 signal-hook = { version = "0.3", features = ["extended-siginfo"] }
 sigstore = { version = "0.11", features = ["full-rustls-tls", "cached-client", "sigstore-trust-root", "sign"], default-features = false }
-zeroize = { version = "1", features = ["aarch64", "derive", "serde"] }
 
 cached.workspace = true
 chrono.workspace = true
@@ -42,6 +41,7 @@ tokio.workspace = true
 bon.workspace = true
 users.workspace = true
 uuid.workspace = true
+zeroize.workspace = true
 
 [dev-dependencies]
 rstest.workspace = true

process/Cargo.toml

@@ -14,7 +14,7 @@ use std::{
     time::Duration,
 };
 
-use blue_build_utils::semver::Version;
+use blue_build_utils::{BUILD_ID, semver::Version};
 use bon::{Builder, bon};
 use cached::proc_macro::cached;
 use clap::Args;
@@ -69,9 +69,6 @@ static SELECTED_SIGNING_DRIVER: std::sync::LazyLock<RwLock<Option<SigningDriverT
 static SELECTED_CI_DRIVER: std::sync::LazyLock<RwLock<Option<CiDriverType>>> =
     std::sync::LazyLock::new(|| RwLock::new(None));
 
-/// UUID used to mark the current builds
-static BUILD_ID: std::sync::LazyLock<Uuid> = std::sync::LazyLock::new(Uuid::new_v4);
-
 /// Args for selecting the various drivers to use for runtime.
 ///
 /// If the args are left uninitialized, the program will determine

process/drivers.rs

@@ -1,11 +1,12 @@
 use std::{io::Write, process::Stdio};
 
-use blue_build_utils::{credentials::Credentials, semver::Version};
+use blue_build_utils::{credentials::Credentials, secret::SecretArgs, semver::Version};
 use colored::Colorize;
 use comlexr::cmd;
 use log::{debug, error, info, trace};
-use miette::{IntoDiagnostic, Result, bail, miette};
+use miette::{Context, IntoDiagnostic, Result, bail, miette};
 use serde::Deserialize;
+use tempfile::TempDir;
 
 use crate::{drivers::types::Platform, logging::CommandLogging};
 
@@ -50,9 +51,14 @@ impl BuildDriver for BuildahDriver {
     fn build(opts: &BuildOpts) -> Result<()> {
         trace!("BuildahDriver::build({opts:#?})");
 
+        let temp_dir = TempDir::new()
+            .into_diagnostic()
+            .wrap_err("Failed to create temporary directory for secrets")?;
+
         let command = cmd!(
             "buildah",
             "build",
+            for opts.secrets.args(&temp_dir)?,
             if !matches!(opts.platform, Platform::Native) => [
                 "--platform",
                 opts.platform.to_string(),