OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.0.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-2002
Allow setting build secrets for "Build Image" CI step (OD-2002)
HoLLy opened 1 year ago

I have a .NET project that depends on a package on a private NuGet feed. I have a Docker file that builds this image, and so it needs credentials to add the NuGet feed in the container. To do that, I use build secrets, but there doesn't seem to be a convenient way to pass these build secrets into the container step.

One easy way to fix this would be to allow specifying environment variables in the "Build Image" CI step, so they can be loaded adding --secret id=my_secret,env=MY_ENV_VAR as an extra option to the build command.

  • Robin Shen commented 1 year ago

    This can be done by passing the build secret via build-arg in more options of the build image step, for instance:

    --build-arg secretid=@secret:build-secret-name@
  • HoLLy commented 1 year ago

    I don't think you can pass in build secrets this way. I tested locally like this:

    docker build . --build-arg username=TEST_USER --build-arg password=TEST_PASS

    With the following line in my dockerfile:

    COPY . .
RUN --mount=type=secret,id=username \
    --mount=type=secret,id=password \
    dotnet nuget add source --name onedev --username $(cat /run/secrets/username) --password $(cat /run/secrets/password) --store-password-in-clear-text https://my-onedev-server.example/MyProject/~nuget/index.json

    And I get an error that matches when I don't pass in any secrets. The docs also seem to suggest this only sets an environment variable in the container, which build secrets try to avoid. The same page lists the --secret argument to pass in build secrets, which require a file or environment variable on the host.

  • Robin Shen commented 1 year ago

    Thanks for elaborating. Please follow below steps to work around this:

    1. Add a step to run below command to write secret to a file in workspace before the build image step:

      echo @secret:mysecret@ > mysecret

    2. Pass the file as a secret source in more settings of build image step:

      --secret id=mysecret,src=./mysecret
  • HoLLy commented 1 year ago

    That does seem to work, although this writes the secret to the git repo which may accidentally include it in the docker image (which is exactly what secrets aim to avoid). I checked my app using dive and it seemed like that wasn't the case for me, likely because the build is done in a separate stage.

    This workaround works but is not very discoverable. Are there any plans to extend the UI to allow specifying environment variables for the build step, or directly set secrets? If not, this issue can be closed as I've fixed the issue on my end now.

  • Robin Shen changed state to 'Closed' 1 year ago
    Previous Value Current Value 
    Open
    		 
    Closed
  • Robin Shen commented 1 year ago

    I am closing this as this is doable for now.

issue 1/1
Type
New Feature
Priority
Normal
Assignee
Cody Robinson
Labels
No labels
Issue Votes (0)
Login to vote
Watchers (2)
Reference
OD-2002
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover