feat: Add ability to mount secrets

[gmpinder]

This MR implements the use of secrets for use in module calls. It will handle securely mounting secrets via generating a unique hash for each secret and is unique for each build that will be used as its ID and mount path unless otherwise specified by the user.

NOTE: The examples below make use of the script module to show that secrets do get mounted. This feature is available for every module except the copy and containerfile modules.

Supported methods

Environment Variables

You can specify an environment variable to mount from the host.

type: script
secrets:
  - type: env
    name: TEST_SECRET
snippets:
  - echo "The test secret is $TEST_SECRET"

Files

You can specify a file on the host machine and where to mount it in the build.

type: script
secrets:
  - type: file
    source: /path/to/secret
    destination: /tmp/secrets/test-secret
snippets:
  - echo "The test secret is $(cat /tmp/secrets/test-secret)"

Commands

You can also run a command on the host machine to read the secret from stdout. This is useful if you have some external secrets provider like Vault or Bitwarden. You can also specify if the value should be mounted as a file or as an environment variable.

Secrets generated from external commands are stored in a temp file on the host that is cleaned up after the build completes. (see: tempfile) Secrets stored in memory are zeroized when dropped. (see: zeroize)

type: script
secrets:
  - type: exec
    command: vault
    args:
      - kv
      - get
      - secretes/test/secret
    output:
      type: env
      name: TEST_SECRET
snippets:
  - echo "The test secret is $TEST_SECRET"

SSH

You can also mount your SSH socket. This is useful when you want to checkout something from a private git repo.

type: script
secrets:
  - type: ssh
snippets:
  - git clone [email protected]:user/private_repo.git