From a7c75647d735fc8d0c9d8deb02845df1cee412b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Sat, 12 Nov 2022 00:43:46 -0300 Subject: [PATCH 1/5] Add new secrets option to plugin spec --- plugin.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/plugin.yml b/plugin.yml index 71025495..d08e1c46 100644 --- a/plugin.yml +++ b/plugin.yml @@ -82,6 +82,10 @@ configuration: type: boolean ssh: type: boolean + secrets: + type: array + items: + type: string target: type: string tty: @@ -122,6 +126,7 @@ configuration: pull: [ run ] push-retries: [ push ] skip-pull: [ run ] + secrets: [ buildkit, build ] ssh: [ buildkit ] target: [ build ] tty: [ run ] From 2f9af14c10deedbce69581343875c9ba370b3db4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Sat, 12 Nov 2022 00:49:40 -0300 Subject: [PATCH 2/5] Add --secrets parameters on build --- commands/build.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/commands/build.sh b/commands/build.sh index 640d39e4..ddd6b04d 100755 --- a/commands/build.sh +++ b/commands/build.sh @@ -157,6 +157,11 @@ if [[ "$(plugin_read_config BUILD_PARALLEL "false")" == "true" ]] ; then build_params+=(--parallel) fi +# Parse the list of secrets to pass on to build command +while read -r line ; do + [[ -n "$line" ]] && build_params+=("--secret" "$line") +done <<< "$(plugin_read_list SECRETS)" + if [[ "$(plugin_read_config SSH "false")" == "true" ]] ; then if [[ "${DOCKER_BUILDKIT:-}" != "1" && "${BUILDKITE_PLUGIN_DOCKER_COMPOSE_CLI_VERSION:-}" != "2" ]]; then echo "🚨 You can not use the ssh option if you are not using buildkit" From dd9f5e89dce3ecbc4a3da7be4bada9f64c2e291c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Sat, 12 Nov 2022 00:56:08 -0300 Subject: [PATCH 3/5] Added tests for new option --- tests/build.bats | 21 +++++++++++++++++++++ tests/v2/build.bats | 22 ++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/tests/build.bats b/tests/build.bats index 5edd4f5d..0cb6a2cb 100644 --- a/tests/build.bats +++ b/tests/build.bats @@ -793,5 +793,26 @@ load '../lib/shared' assert_output --partial "built myservice" assert_output --partial "with ssh" + unstub docker-compose +} + +@test "Build with secrets" { + export BUILDKITE_BUILD_NUMBER=1 + export BUILDKITE_JOB_ID=1111 + export BUILDKITE_PIPELINE_SLUG=test + + export BUILDKITE_PLUGIN_DOCKER_COMPOSE_BUILD=myservice + export BUILDKITE_PLUGIN_DOCKER_COMPOSE_SECRETS_0='id=test,file=~/.test' + export BUILDKITE_PLUGIN_DOCKER_COMPOSE_SECRETS_1='id=SECRET_VAR' + + stub docker-compose \ + "-f docker-compose.yml -p buildkite1111 -f docker-compose.buildkite-1-override.yml build --pull --secret \* --secret \* \* : echo built \${13} with secrets \${10} and \${12}" + + run "$PWD"/hooks/command + + assert_success + assert_output --partial "built myservice" + assert_output --partial "with secrets id=test,file=~/.test and id=SECRET_VAR" + unstub docker-compose } \ No newline at end of file diff --git a/tests/v2/build.bats b/tests/v2/build.bats index e45de20a..2a1d2255 100644 --- a/tests/v2/build.bats +++ b/tests/v2/build.bats @@ -627,5 +627,27 @@ setup_file() { assert_output --partial "built myservice" assert_output --partial "with ssh" + unstub docker +} + + +@test "Build with secrets" { + export BUILDKITE_BUILD_NUMBER=1 + export BUILDKITE_JOB_ID=1111 + export BUILDKITE_PIPELINE_SLUG=test + + export BUILDKITE_PLUGIN_DOCKER_COMPOSE_BUILD=myservice + export BUILDKITE_PLUGIN_DOCKER_COMPOSE_SECRETS_0='id=test,file=~/.test' + export BUILDKITE_PLUGIN_DOCKER_COMPOSE_SECRETS_1='id=SECRET_VAR' + + stub docker \ + "compose -f docker-compose.yml -p buildkite1111 -f docker-compose.buildkite-1-override.yml build --pull --secret \* --secret \* \* : echo built \${14} with secrets \${11} and \${13}" + + run "$PWD"/hooks/command + + assert_success + assert_output --partial "built myservice" + assert_output --partial "with secrets id=test,file=~/.test and id=SECRET_VAR" + unstub docker } \ No newline at end of file From c309f541d39b5e4ab38c6efa766cbaf914f8b958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Sat, 12 Nov 2022 00:56:22 -0300 Subject: [PATCH 4/5] Added documentation for new option (and corrected ordering --- README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 48b6d5e0..eb5dbbe1 100644 --- a/README.md +++ b/README.md @@ -614,14 +614,6 @@ The default is `on-error`. If set to `2`, plugin will use `docker compose` to execute commands; otherwise it will default to version `1` using `docker-compose` instead. -## Developing - -To run the tests: - -```bash -docker-compose run --rm tests bats tests tests/v2 -``` - ### `buildkit` (optional, build only, boolean) Assuming you have a compatible docker installation and configuration in the agent, activating this option would setup the environment for the `docker-compose build` call to use BuildKit. Note that if you are using `cli-version` 2, you are already using buildkit by default. @@ -632,6 +624,18 @@ You may want to also add `BUILDKIT_INLINE_CACHE=1` to your build arguments (`arg When enabled, it will add the `--ssh` option to the build command. Note that it assumes you have a compatible docker installation and configuration in the agent (meaning you are using BuildKit and it is correctly setup). +### `secrets` (optional, build only, array of strings) + +All elements in this array will be passed literally to the `build` command as parameters of the [`--secrets` option](https://docs.docker.com/engine/reference/commandline/buildx_build/#secret). Note that you must have BuildKit enabled for this option to have any effect and special `RUN` stanzas in your Dockerfile to actually make use of them. + +## Developing + +To run the tests: + +```bash +docker-compose run --rm tests bats tests tests/v2 +``` + ## License MIT (see [LICENSE](LICENSE)) From 57a4b0110079dcc980658864513cc18a2cb37ee5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Sat, 12 Nov 2022 00:57:29 -0300 Subject: [PATCH 5/5] Updated version for upcoming release --- README.md | 54 +++++++++++++++++++++++++++--------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index eb5dbbe1..f7793529 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ The following pipeline will run `test.sh` inside a `app` service container using steps: - command: test.sh plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app ``` @@ -28,7 +28,7 @@ through if you need: steps: - command: test.sh plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app config: docker-compose.tests.yml env: @@ -41,7 +41,7 @@ or multiple config files: steps: - command: test.sh plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app config: - docker-compose.yml @@ -56,7 +56,7 @@ env: steps: - command: test.sh plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app ``` @@ -65,7 +65,7 @@ If you want to control how your command is passed to docker-compose, you can use ```yml steps: - plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app command: ["custom", "command", "values"] ``` @@ -79,7 +79,7 @@ steps: - plugins: - docker-login#v2.0.1: username: xyz - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: app image-repository: index.docker.io/myorg/myrepo - wait @@ -87,7 +87,7 @@ steps: plugins: - docker-login#v2.0.1: username: xyz - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app ``` @@ -104,7 +104,7 @@ steps: - command: generate-dist.sh artifact_paths: "dist/*" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app ``` @@ -122,7 +122,7 @@ steps: - command: generate-dist.sh artifact_paths: "dist/*" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app volumes: - "./dist:/app/dist" @@ -146,7 +146,7 @@ this plugin offers a `environment` block of its own: steps: - command: generate-dist.sh plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app env: - BUILDKITE_BUILD_NUMBER @@ -164,7 +164,7 @@ Alternatively, you can have the plugin add all environment variables defined for steps: - command: use-vars.sh plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app propagate-environment: true ``` @@ -179,7 +179,7 @@ Alternatively, if you want to set build arguments when pre-building an image, th steps: - command: generate-dist.sh plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: app image-repository: index.docker.io/myorg/myrepo args: @@ -196,7 +196,7 @@ If you have multiple steps that use the same service/image (such as steps that r steps: - label: ":docker: Build" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: app image-repository: index.docker.io/myorg/myrepo @@ -206,7 +206,7 @@ steps: command: test.sh parallelism: 25 plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: app ``` @@ -222,7 +222,7 @@ steps: agents: queue: docker-builder plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: - app - tests @@ -234,7 +234,7 @@ steps: command: test.sh parallelism: 25 plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: tests ``` @@ -246,7 +246,7 @@ If you want to push your Docker images ready for deployment, you can use the `pu steps: - label: ":docker: Push" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: push: app ``` @@ -256,7 +256,7 @@ To push multiple images, you can use a list: steps: - label: ":docker: Push" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: push: - first-service - second-service @@ -268,7 +268,7 @@ If you want to push to a specific location (that's not defined as the `image` in steps: - label: ":docker: Push" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: push: - app:index.docker.io/myorg/myrepo/myapp - app:index.docker.io/myorg/myrepo/myapp:latest @@ -282,14 +282,14 @@ A newly spawned agent won't contain any of the docker caches for the first run w steps: - label: ":docker: Build an image" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: app image-repository: index.docker.io/myorg/myrepo cache-from: app:index.docker.io/myorg/myrepo/myapp:latest - wait - label: ":docker: Push to final repository" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: push: - app:index.docker.io/myorg/myrepo/myapp - app:index.docker.io/myorg/myrepo/myapp:latest @@ -303,7 +303,7 @@ This plugin allows for the value of `cache-from` to be a string or a list. If it steps: - label: ":docker Build an image" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: app image-repository: index.docker.io/myorg/myrepo cache-from: @@ -312,7 +312,7 @@ steps: - wait - label: ":docker: Push to final repository" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: push: - app:index.docker.io/myorg/myrepo/myapp - app:index.docker.io/myorg/myrepo/myapp:my-branch @@ -326,7 +326,7 @@ Adding a grouping tag to the end of a cache-from list item allows this plugin to steps: - label: ":docker: Build Intermediate Image" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: myservice_intermediate # docker-compose.yml is the same as myservice but has `target: intermediate` image-name: buildkite-build-${BUILDKITE_BUILD_NUMBER} image-repository: index.docker.io/myorg/myrepo/myservice_intermediate @@ -336,7 +336,7 @@ steps: - wait - label: ":docker: Build Final Image" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: myservice image-name: buildkite-build-${BUILDKITE_BUILD_NUMBER} image-repository: index.docker.io/myorg/myrepo @@ -380,7 +380,7 @@ A basic pipeline similar to the following: steps: - label: ":docker: Run & Push" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: run: myservice push: myservice ``` @@ -395,7 +395,7 @@ A basic pipeline similar to the following: steps: - label: ":docker: Build & Push" plugins: - - docker-compose#v4.5.0: + - docker-compose#v4.6.0: build: myservice push: myservice ```