Support docker build --secret flag

Author: nkubala

docs/content/en/schemas/v2beta7.json

@@ -923,6 +923,11 @@
           "x-intellij-html-description": "used to pass in --no-cache to docker build to prevent caching.",
           "default": "false"
         },
+        "secret": {
+          "$ref": "#/definitions/DockerSecret",
+          "description": "contains information about a local secret passed to `docker build`, along with optional destination information.",
+          "x-intellij-html-description": "contains information about a local secret passed to <code>docker build</code>, along with optional destination information."
+        },
         "target": {
           "type": "string",
           "description": "Dockerfile target name to build.",
@@ -935,7 +940,8 @@
         "buildArgs",
         "network",
         "cacheFrom",
-        "noCache"
+        "noCache",
+        "secret"
       ],
       "additionalProperties": false,
       "description": "describes an artifact built from a Dockerfile, usually using `docker build`.",
@@ -962,6 +968,30 @@
       "description": "contains information about the docker `config.json` to mount.",
       "x-intellij-html-description": "contains information about the docker <code>config.json</code> to mount."
     },
+    "DockerSecret": {
+      "required": [
+        "id"
+      ],
+      "properties": {
+        "id": {
+          "type": "string",
+          "description": "id of the secret.",
+          "x-intellij-html-description": "id of the secret."
+        },
+        "src": {
+          "type": "string",
+          "description": "path to the secret on the host machine.",
+          "x-intellij-html-description": "path to the secret on the host machine."
+        }
+      },
+      "preferredOrder": [
+        "id",
+        "src"
+      ],
+      "additionalProperties": false,
+      "description": "contains information about a local secret passed to `docker build`, along with optional destination information.",
+      "x-intellij-html-description": "contains information about a local secret passed to <code>docker build</code>, along with optional destination information."
+    },
     "DockerfileDependency": {
       "properties": {
         "buildArgs": {

hack/schemas/main.go

@@ -264,8 +264,11 @@ func (g *schemaGenerator) newDefinition(name string, t ast.Expr, comment string,
 	}
 
 	if g.strict && name != "" {
+		if comment == "" {
+			panic(fmt.Sprintf("field %s needs comment (all public fields require comments)", name))
+		}
 		if !strings.HasPrefix(comment, name+" ") {
-			panic(fmt.Sprintf("comment should start with field name on field %s", name))
+			panic(fmt.Sprintf("comment %s should start with field name on field %s", comment, name))
 		}
 	}
 

integration/testdata/build/secret/Dockerfile

@@ -0,0 +1,5 @@
+# syntax=docker/dockerfile:1.0.0-experimental
+
+FROM alpine:3.10
+
+RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

integration/testdata/build/secret/mysecret.txt

@@ -0,0 +1 @@
+secret

integration/testdata/build/skaffold.yaml

@@ -2,6 +2,7 @@ apiVersion: skaffold/v2beta7
 kind: Config
 build:
   local:
+    useBuildkit: true
     push: false
   artifacts:
     # A simple Docker build
@@ -38,3 +39,10 @@ build:
     # Would have caught #2315
   - image: multi-stage
     context: multi-stage
+
+  - image: secret
+    context: secret
+    docker:
+      secret:
+        id: mysecret
+        src: secret/mysecret.txt

pkg/skaffold/docker/image.go

@@ -160,6 +160,10 @@ func (l *localDaemon) ConfigFile(ctx context.Context, image string) (*v1.ConfigF
 func (l *localDaemon) Build(ctx context.Context, out io.Writer, workspace string, a *latest.DockerArtifact, ref string, mode config.RunMode) (string, error) {
 	logrus.Debugf("Running docker build: context: %s, dockerfile: %s", workspace, a.DockerfilePath)
 
+	if a.Secret != nil {
+		return "", fmt.Errorf("docker build secrets require BuildKit - set `useBuildkit: true` in your config, or run with `DOCKER_BUILDKIT=1`")
+	}
+
 	// Like `docker build`, we ignore the errors
 	// See https://github.com/docker/cli/blob/75c1bb1f33d7cedbaf48404597d5bf9818199480/cli/command/image/build.go#L364
 	authConfigs, _ := DefaultAuthHelper.GetAllAuthConfigs()
@@ -462,6 +466,14 @@ func ToCLIBuildArgs(a *latest.DockerArtifact, evaluatedArgs map[string]*string)
 		args = append(args, "--no-cache")
 	}
 
+	if a.Secret != nil {
+		secretString := fmt.Sprintf("id=%s", a.Secret.ID)
+		if a.Secret.Source != "" {
+			secretString += ",src=" + a.Secret.Source
+		}
+		args = append(args, "--secret", secretString)
+	}
+
 	return args, nil
 }
 

pkg/skaffold/docker/image_test.go

@@ -312,6 +312,16 @@ func TestGetBuildArgs(t *testing.T) {
 			},
 			want: []string{"--no-cache"},
 		},
+		{
+			description: "secret",
+			artifact: &latest.DockerArtifact{
+				Secret: &latest.DockerSecret{
+					ID:     "mysecret",
+					Source: "foo.bar",
+				},
+			},
+			want: []string{"--secret", "id=mysecret,src=foo.bar"},
+		},
 		{
 			description: "all",
 			artifact: &latest.DockerArtifact{

pkg/skaffold/schema/latest/config.go

@@ -964,6 +964,20 @@ type DockerArtifact struct {
 
 	// NoCache used to pass in --no-cache to docker build to prevent caching.
 	NoCache bool `yaml:"noCache,omitempty"`
+
+	// Secret contains information about a local secret passed to `docker build`,
+	// along with optional destination information.
+	Secret *DockerSecret `yaml:"secret,omitempty"`
+}
+
+// DockerSecret contains information about a local secret passed to `docker build`,
+// along with optional destination information.
+type DockerSecret struct {
+	// ID is the id of the secret.
+	ID string `yaml:"id,omitempty" yamltags:"required"`
+
+	// Source is the path to the secret on the host machine.
+	Source string `yaml:"src,omitempty"`
 }
 
 // BazelArtifact describes an artifact built with [Bazel](https://bazel.build/).