Docker Build Secrets

Squash supports the native Docker Secrets functionality. This allows keeping any sensitive environment variables out of the Docker image. Using this feature is simple and requires just a few steps that need to be added within the Squash YAML file.

  • The build_options field is required and the --secrets flag must be present.
    • Example: build_options: --no-cache --secret id=sqenv,env=MYSECRET
      • id argument: you can use any value, this will also be used within a Dockerfile to access the secret value
      • env argument: this is the name of an environment variable defined in Squash (more info below). This is the actual value of the secret. Do not use the symbol “$” to reference the variable name in this field.
  • The environment field is required, this is where we will be adding a few important env variables.
    • DOCKER_BUILDKIT=1 
      • This will enable Docker’s Buildkit, which is required in order to use the secrets functionality.
    • You will also need to define an environment variable to be used as the secret. The name of this environment variable needs to match the name used within the “build_options” field. In the example above we are using an env variable named MYSECRET.
    • For more information go to: defining env variables in Squash.
  • Lastly, make sure to add this line at the top (it must be the very first line) of any Dockerfile where you plan to access the secrets:
    • # syntax=docker/dockerfile:1.2

 

Squash YAML file example

deployments:
  AcmeApp:
    filename: ./src/Dockerfile
    context_path: ./src
    build_options: --no-cache --secret id=sqenv,env=MYSECRET
    port_forwarding: 80:80
    environment:
      - DOCKER_BUILDKIT=1
      - MYSECRET=$MYSECRET

Note that the correct way to reference the environment variable name in build_options is as described in the example above and without the “$” symbol.

Dockerfile example

# syntax=docker/dockerfile:1.2
FROM python:3.6.1-onbuild

COPY . /usr/src/app
# shows secret from default secret location:
RUN --mount=type=secret,id=sqenv cat /run/secrets/sqenv

CMD ["bash", "run_server.sh"]

 

Example project

This is a sample project using Docker secrets, it has been tested successfully in Squash.

https://github.com/SquashLabsInc/docker-secrets

 

Defining environment variables in Squash

See environment variables.