-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add "build.secrets" field to devcontainer.json
#4841
Comments
I would like to support it but with one reservation: if the devcontainer.json will be published in a repository secret will be available in the boilerplate form unlike in the Docker image. Their secrets are encoded. It is a problem with buildkit too. Other Image builders prefer to attach secrets to containers in a very tricky way, as separate artifacts, to separate them from the published code. |
I don't think I'm following. If somebody wants |
I'm testing Podman 3.1 on WSL and found that the implementation of such a feature is feasible and even easy. Podman, unlike Docker supports secrets out-of-the-box with no pre-requisites like builglit or swarm. |
@NathanDeMaria Could you give an example of what this might look like? |
I can give an example:
Eg, for a project using
This is also how we inject creds in our CI pipeline, so we're not looking to change our build process to accommodate editor nuances, as this way leaves no trace of the credentials in the docker image (as opposed to passing them as We can already generate the temporary credentials file and remove it with the To be honest, a more flexible approach would not be to add |
I am trying to achieve something similar in one of my use cases of making codespaces usable for my team. Can you please give an idea of if you are generating the tokens on fly in the I tried adding secrets in codespaces secret in my user account. They are available in terminal but if I pass them as docker args, they arent available. |
This is slightly orthogonal to the actual problem here, but we are generating the tokens on the fly in We have a custom in house tool that authenticates to JFrog via SAML. The tool prompts users on the command line for username/password/2fa that allows them to authenticate to an on-prem Shibboleth Identity Provider. Once authenticated to JFrog, it uses their token service to generate a temporary access token. In vscode, I believe that prompt appears in the console. We are using containers, we aren't using codespaces, if that makes a difference. I'm not sure that it would, |
did anybody manage to get |
We have the exact same workflow with Gitlab and need a solution. |
We're in the same situation, we use buildkit to inject secrets for private Python packages, having a different build process just for running containers locally isn't ideal. |
Would be great to have working support for |
@blacktaxi I ended up using "runArgs" in the devcontainer.json file, it seems to be working well so far. https://code.visualstudio.com/docs/remote/devcontainerjson-reference |
That's great, thanks for sharing @DougPlumley. I wonder if it's possible to do the same while building the dev container image? I'm trying to install packages from local repository as part of the image. |
@blacktaxi based on my limited experience with the devcontainer and how I'm using it I felt comfortable including my secrets in the environment since I'm not building to publish the image and I'm only using the devcontainter locally. I have a separate Dockerfile for building the image we'd use in production. So for the Python development I'm doing for example I'm providing a PIP_EXTRA_INDEX_URL environment variable with the necessary details to install from a local package index. |
@DougPlumley Just a small warning, offtopic: be very careful with |
Appreciate the warning @maciek16180! I'll look into alternative methods as well. |
i was happy to find this thread, and disappointed that it's still an open issue. anybody managed to find a workaround? |
I opted to use "runArgs": ["--env-file=.env"] in my .devcontainer.json configuration, that's where I'm mounting the secrets into the running container (not during build), I then trigger a shell script post create with "postCreateCommand": "/bin/bash -c .devcontainer/postCreateCommand.sh" that's installing my remaining dependencies which need the secrets to access private repositories. |
The workaround we've been using is:
It mostly feels the same to a user as the ideal workflow, the only real difference we've noticed is the error is displayed a bit differently if the image build fails |
Thank you @NathanDeMaria, after reading your comment here I took the same approach (although we're not using Specifying |
Would really like --secrets to be able to be implemented. Or addition docker build command line arguments in a json/ dict style arguments inside the devcontainer.json file. Currently just using the command line outside and keeping the --secret layer early in the build so most changes allow the docker image to build once and the later layers changes can be done natively from vs code extension. This won't work as a solution for codespaces but good for local development environment. Posted on github for anyone that wants it. |
I found another nice workaround: use a Note: VS Code uses |
This thread has been stale for a while, but thought I would share another solution that I landed on after trying a few suggested in this thread. Maybe help the next person out. The devcontainer.json:
Dockerfile:
|
I'd like a way to use build secrets BuildKit's
--secret
in remote containers. Seemingly straightforward implementation: add a field forsecrets
underneathbuild
indevcontainer.json
(list of strings), and map each entry in that list to a--secret
arg whenever thedocker build
command gets createdThis is related to #1409, but that's not required (if users have some other way to make sure they're using BuildKit, this feature could be independently useful).
The text was updated successfully, but these errors were encountered: