feat(build/docker): support env as secret source (#6632)

Used in buildkit mode, allow users to specify secrets provided via env vars to
Skaffold (and hence docker/buildkit) in addition to file sources ("src").

I am setting "src" and "env" as mutually exclusive here in skaffold, however
docker currently does not enforce this (but "env" takes precedence regardless
of the order if both specified).

If we receive issues about this, we can relax
it in a backwards-compatible way.

Signed-off-by: Ahmet Alp Balkan <[email protected]>

Author: ahmetb

docs/content/en/schemas/v2beta24.json

@@ -1454,6 +1454,11 @@
         "id"
       ],
       "properties": {
+        "env": {
+          "type": "string",
+          "description": "environment variable name containing the secret value.",
+          "x-intellij-html-description": "environment variable name containing the secret value."
+        },
         "id": {
           "type": "string",
           "description": "id of the secret.",
@@ -1467,7 +1472,8 @@
       },
       "preferredOrder": [
         "id",
-        "src"
+        "src",
+        "env"
       ],
       "additionalProperties": false,
       "type": "object",

pkg/skaffold/docker/image.go

@@ -642,6 +642,9 @@ func ToCLIBuildArgs(a *latestV1.DockerArtifact, evaluatedArgs map[string]*string
 		if secret.Source != "" {
 			secretString += ",src=" + secret.Source
 		}
+		if secret.Env != "" {
+			secretString += ",env=" + secret.Env
+		}
 		args = append(args, "--secret", secretString)
 	}
 

pkg/skaffold/docker/image_test.go

@@ -353,14 +353,23 @@ func TestGetBuildArgs(t *testing.T) {
 			want: []string{"--secret", "id=mysecret"},
 		},
 		{
-			description: "secret with source",
+			description: "secret with file source",
 			artifact: &latestV1.DockerArtifact{
 				Secrets: []*latestV1.DockerSecret{
 					{ID: "mysecret", Source: "foo.src"},
 				},
 			},
 			want: []string{"--secret", "id=mysecret,src=foo.src"},
 		},
+		{
+			description: "secret with env source",
+			artifact: &latestV1.DockerArtifact{
+				Secrets: []*latestV1.DockerSecret{
+					{ID: "mysecret", Env: "FOO"},
+				},
+			},
+			want: []string{"--secret", "id=mysecret,env=FOO"},
+		},
 		{
 			description: "multiple secrets",
 			artifact: &latestV1.DockerArtifact{

pkg/skaffold/schema/latest/v1/config.go

@@ -1315,7 +1315,10 @@ type DockerSecret struct {
 	ID string `yaml:"id,omitempty" yamltags:"required"`
 
 	// Source is the path to the secret on the host machine.
-	Source string `yaml:"src,omitempty"`
+	Source string `yaml:"src,omitempty" yamltags:"oneOf=secretSource"`
+
+	// Env is the environment variable name containing the secret value.
+	Env string `yaml:"env,omitempty" yamltags:"oneOf=secretSource"`
 }
 
 // BazelArtifact describes an artifact built with [Bazel](https://bazel.build/).