KiaraGrouwstra
commented
3 months ago to make the support for build secrets in the compose file more useful, i'm still trying to figure out how to pass those secret mounts to dockerTools' build steps. those are confusing me a bit right now, as generated images seem to just have a single step (Cmd running an init).
if anyone here would have more of an idea on that, i'd be grateful.
edit: i'm now under the impression the actual nixos config is realized at run-time, meaning for nixos containers we would not currently be able to utilize build secrets' limited secret exposure
edit 2: i think we could set service.image.rawConfig.Run = ["--mount=type=secret,id=foo nixos-rebuild switch"];, but even if that would work (which i'm not confident of), setting service.build.secrets with this PR seems to trigger an arion build error:
failed to solve: failed to read dockerfile: open /home/kiara/.local/share/docker/tmp/buildkit-mount3337376318/Dockerfile: no such file or directory
aacebedo
enables using docker compose secrets from arion, which includes:
secretselement defining the secrets to be used for the below two use-cases, exposing them at/run/secrets/<secret_name>. comes in flavorsfilevsenvironment.servicestop-levelsecretselementDockerfilelikeRUN --mount=type=secret,id=<secret_name> ...)unlike #52, i did not so far add support for their long syntax, which despite the confusing documentation appears limited to Docker Swarm, in my understanding currently limiting its use in Arion.