bake secrets are ignored from transitive targets

[jonapich]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

When using secret = [] on a transitive target, the secret is not loaded into the build.

I don't have a short example handy, but in a nutshell:

target "download-artifacts" {
  secret = [
    { type = "env", id = "GITHUB_SECRET" }
  ]
}

target "app" {
  contexts = {
    artifacts = "target:download-artifacts"
  }
}

Calling docker buildx bake app will try to build the download-artifacts target without mouting the secret, causing my download script to complain about the lack of token.

On the other hand, calling docker buildx bake download-artifacts works, and once in the cache, I can docker buildx bake app again and it will work.

I am using remote kubernetes builders.

Please let me know if you need a minimal example to reproduce the issue.

Expected behaviour

Secrets in transitive targets should work just like that.

Actual behaviour

Secrets in transitive targets are blank until the target is built directly.

Buildx version

github.com/docker/buildx v0.20.1-desktop.2 aaf7c2bc7f9ec3afee1cec77d671845a4b57a0c8

Docker info

Builders list

NAME/NODE                           DRIVER/ENDPOINT                                                                                                                                                                                        STATUS    BUILDKIT   PLATFORMS
buildx-jpiche-wks002757*            kubernetes
 \_ buildx-jpiche-wks002757-amd64    \_ kubernetes:///buildx-jpiche-wks002757?deployment=buildx-jpiche-wks002757-amd64&kubeconfig=C%3A%5CUsers%5Cjpiche%5CAppData%5CLocal%5CTemp%5Ck8s_builder_kubeconfig8_32pznn%5Ctemp_kubeconfig.yaml   running   v0.20.1    linux/amd64*  
 \_ buildx-jpiche-wks002757-arm64    \_ kubernetes:///buildx-jpiche-wks002757?deployment=buildx-jpiche-wks002757-arm64&kubeconfig=C%3A%5CUsers%5Cjpiche%5CAppData%5CLocal%5CTemp%5Ck8s_builder_kubeconfig8_32pznn%5Ctemp_kubeconfig.yaml   running   v0.20.1    linux/arm64*  
default                             docker
 \_ default                          \_ default                                                                                                                                                                                            running   v0.18.2    linux/amd64 (+3), linux/arm64, linux/arm (+2), linux/ppc64le, (2 more)
desktop-linux                       docker
 \_ desktop-linux                    \_ desktop-linux                                                                                                                                                                                      running   v0.18.2    linux/amd64 (+3), linux/arm64, linux/arm (+2), linux/ppc64le, (2 more)

Configuration

target "download-artifacts" {
  secret = [
    { type = "env", id = "GITHUB_SECRET" }
  ]
}

target "app" {
  contexts = {
    artifacts = "target:download-artifacts"
  }
}

docker buildx bake app will not work; the download-artifacts target will fail.

docker buildx bake download-artifacts works. Once it's built, docker buildx bake app works.

Build logs

Additional info

No response

[crazy-max]

Thanks for your report, I was able to repro:

FROM busybox
RUN --mount=type=secret,id=GITHUB_SECRET,env=GITHUB_SECRET env|sort

$ GITHUB_SECRET=foo docker buildx bake --no-cache download-artifacts
...
#6 [stage-0 2/2] RUN --mount=type=secret,id=GITHUB_SECRET,env=GITHUB_SECRET env|sort
#6 0.253 GITHUB_SECRET=foo
#6 0.253 HOME=/root
#6 0.253 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
#6 0.253 PWD=/
#6 0.253 SHLVL=1
#6 DONE 0.3s

$ GITHUB_SECRET=foo docker buildx bake --no-cache app
...
#6 [app stage-0 2/2] RUN --mount=type=secret,id=GITHUB_SECRET,env=GITHUB_SECRET env|sort
#6 0.277 GITHUB_SECRET=
#6 0.277 HOME=/root
#6 0.277 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
#6 0.277 PWD=/
#6 0.277 SHLVL=1
#6 DONE 0.3s

So yes when called through named context, env get lost.

But if using secret file it works:

target "download-artifacts" {
  secret = [
    { type = "file", id = "GITHUB_SECRET", src = "secret.txt" }
  ]
}

target "app" {
  contexts = {
    artifacts = "target:download-artifacts"
  }
}

$ echo -n "foo" > secret.txt
$ docker buildx bake --no-cache app
...
#6 [download-artifacts stage-0 2/2] RUN --mount=type=secret,id=GITHUB_SECRET,env=GITHUB_SECRET env|sort
#6 0.295 GITHUB_SECRET=foo
#6 0.295 HOME=/root
#6 0.295 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
#6 0.295 PWD=/
#6 0.295 SHLVL=1
#6 DONE 0.3s

[tonistiigi]

patch moby/buildkit#5833

But if using secret file it works:

This is not correct. It works when mounting secret as file in Dockerfile. If Dockerfile RUN exposed secret as env (+bake target build-context) then it was random if the secret was set or not. But doesn't matter if the secret in bake was defined based on file or based on env.