search

Dokploy / dokploy

Open Source Alternative to Vercel, Netlify and Heroku.
https://dokploy.com/
Other
8.78k stars 425 forks source link

[Feature] Docker Build Secrets #407

Open iksaku opened 2 months ago

iksaku commented 2 months ago

What problem will this feature address?

Build Secrets have a similar scope to Build Variables in that both are only provided during build process, however, secrets are specifically made to not be available in any ways in the resulting image, not in logs.

Describe the solution you'd like

Managing Build Secrets in Dokploy

I think it would make sense for Dokploy to manage Build Secrets the same way Build Variables are managed, using a <Secrets /> component.

Providing Build Secrets to Docker

There 2 ways to tell docker build about secrets:

Dokploy could prepend the processed Build Secret key-value pairs to the docker execution, so we make the values available to the process, and then we append --secret flags to the command, just like the first example:

API_TOKEN="<secret>" docker build . --secret id=token,env=API_TOKEN

Providing the secret value with Dokploy creating files may not be the best option as the files could pile up over time. Sure, we could use the /tmp directory... But sounds more complex to me.

Describe alternatives you've considered

Managing Build Secrets via pre-exiting files in Dokploy sound like something somebody would want, and this would require the process for Build Secrets to be similar to Docker Volumes: Need to select a type of secret (in this case: Value, File Path) and then it cannot be changed later on. Dokploy would not manage the Secrets from pre-existing files in the host machine, and only manage references to such files as secret value holders, and tell docker about the existance of these via --secret id=<name>,src=<path>.

To me, Dokploy managing the secret values is good enough, but is not up to me to decide.

Additional context

I've looked to PR this myself, but as there is an alternative path that could (or could not) be decided to be useful, I preferred to stop and post this for discussion.

Siumauricio commented 2 months ago

Hi @iksaku sounds good idea, since this apply only to dockerfile, we have 2 inputs for environment variables and build variables, maybe in the build variable section add some toggle to denotate will be used as a build secrets?

iksaku commented 2 months ago

@Siumauricio Build variables and Build secrets operate differently inside the Dockerfile.

For build variables, you can expect the following:

docker build . --build-arg MESSAGE="Hello world!"
ARG MESSAGE

RUN echo "${MESSAGE}"

But to access build secrets, the process is different

MESSAGE="Hello world" docker build . --secret id=message,env=MESSAGE
RUN --mount=type=secret,id=message cat $(/run/secrets/message)

I think the difference in natures makes it worth having 2 separate properties instead of mixing them in a single input as there would not be granularity to mark which to use as a build variable, and which as a build secret.

ismoiliy98 commented 1 month ago

Any update on this? We are using docker build-time secrets to build our images. Are there any workarounds until this feature is implemented?

iksaku commented 1 month ago

An alternative at the moment, although not perfect, is to use Build Variables instead

Siumauricio commented 1 month ago

Hey sorry for the delay, @iksaku are you interested to work on this? if so you can go ahead with the implementation

iksaku commented 1 month ago

Sure, I would love to get into it. Just haven't found some time to draft it, but will try to find some in the coming weeks.

If anyone beats me to it, I would love to discuss implementation!

Siumauricio commented 1 week ago

@iksaku No worries, take your time whenever you want!