Docker Build Secrets
Squash supports the native Docker Secrets functionality. This allows keeping any sensitive environment variables out of the Docker image. Using this feature is simple and requires just a few steps that need to be added within the Squash YAML file.
- The build_options field is required and the
--secretsflag must be present.
build_options: --no-cache --secret id=sqenv,env=MYSECRET
- id argument: you can use any value, this will also be used within a Dockerfile to access the secret value
- env argument: this is the name of an environment variable defined in Squash (more info below). This is the actual value of the secret. Do not use the symbol “$” to reference the variable name in this field.
- The environment field is required, this is where we will be adding a few important env variables.
- This will enable Docker’s Buildkit, which is required in order to use the secrets functionality.
- You will also need to define an environment variable to be used as the secret. The name of this environment variable needs to match the name used within the “build_options” field. In the example above we are using an env variable named MYSECRET.
- For more information go to: defining env variables in Squash.
- Lastly, make sure to add this line at the top (it must be the very first line) of any Dockerfile where you plan to access the secrets:
Squash YAML file example
deployments: AcmeApp: filename: ./src/Dockerfile context_path: ./src build_options: --no-cache --secret id=sqenv,env=MYSECRET port_forwarding: 80:80 environment: - DOCKER_BUILDKIT=1 - MYSECRET=$MYSECRET
Note that the correct way to reference the environment variable name in build_options is as described in the example above and without the “$” symbol.
# syntax=docker/dockerfile:1.2 FROM python:3.6.1-onbuild COPY . /usr/src/app # shows secret from default secret location: RUN --mount=type=secret,id=sqenv cat /run/secrets/sqenv CMD ["bash", "run_server.sh"]
This is a sample project using Docker secrets, it has been tested successfully in Squash.