How do I pass a secret to when building? I have this `Dockerfile`:

FROM python:3.8
...
COPY n20-*.whl .

RUN --mount=type=secret,id=pipconfig,dst=/etc/pip.conf \
    python -m pip install --no-cache-dir n20-*.whl

With this `BUILD`:

docker_image(
    name="n20",
    dependencies=["src/python/n20:wheel"],
    image_tags=["{build_args.BITBUCKET_BUILD_NUMBER}"],
    extra_build_args=["--secret id=pipconfig,src=pip.conf"],
    repository="recital/n20-dev",
)

The

pip.conf

is actually not there. Do I need to have a

file()

with

pip.conf

? If so, how exactly? Because I added that and it didn't work as well.

Ahh.. tricky that. The

extra_build_args

are for

--build-arg

options only.. there’s currently no generic

passthrough

args options for docker build.

so... can't go with this

Hmm.. unfortunate. Will fix asap.

thanks for the link, I'll subscribe

Thanks for running ice breaker on all missing features, much appreciated (I know how frustrating it can be to hit wall after wall)

dw, I don't feel frustrated

awesome 🙂

thanks for all the replies 😗 👍

WIP: https://github.com/pantsbuild/pants/pull/13830

what happens if BUILDKIT is not enabled?

Hopefully..? don’t know. that first line of help text is copy paste from

docker build --help

😛

it's on the buildroot yes

So it would be good if relative paths worked relative to the build file in which it was defined, I guess..

but the example/question was open to accept a solution with non-buildroot

I see.. yeah, I’d like this to work for both cases.

but this pip.conf would make sense on the buildroot

I’ll fix that.

cool

I’ve never used the

--secret

feature on docker build.. can you confirm that

--secret=id=name,src=/path/to/file

is OK? (so it doesn’t have to be

--secret id=name,…

(as two args, rather than one) Edit: nvm, it was easy enough to try locally…

Is

pip.conf

gitignored?

yes, but I removed the ignore statement to try this

Makes sense. You can have pants "see" it despite continuing to gitignore it by modifying pants_ignore (https://www.pantsbuild.org/docs/reference-global#section-pants-ignore)

how would I modify the

pants_ignore

to just allow a single file that is on the gitignore? 🤔

putting a file in

pants_ignore

with a

!

will re-include it

thank you for adding this feature @curved-television-6568! started using it yesterday and it's very useful. I see you went with making the secrets file path relative to the BUILD file. If I do want to include the secret at the root of my project (or a common location) instead, is there a way to reference the root of the pants project (eg. $PANTS_ROOT/.../secret.json)? My use case is that I have a common cloud API key that I'd like to pass as a secret through multiple Dockerfiles and not have to copy it to the subdirectories. thanks!

Hi! It can either be an absolute path or a relative path

hmm maybe I'm confused then, but is there an way to have it be an absolute path, but relative to the pants project root? to avoid having an absolute path from my home directory

Yeah, good point. I think we could introduce support for ”(buildroot)s/other/part/project/..” for that (with a syntax matching that from pants.toml

Or should we always make it relative to build root? Keep it simple. I wonder how common it is to have a secret specific to just a single Dockerfile and not shared with others.

True.. I’m thinking more of least surprise, as I would expect a relative path in a BUILD file to be relative to where it is defined.. the

"%(buildroot)s/…"

clearly tells me when that is not the case…

Maybe! That's how the source field works, but dependencies requires the full path

+1, file target dependencies behavior seems reasonable:

For files relative to the current BUILD file, prefix with ./; otherwise, put the full path, e.g. ['./sibling.txt', 'resources/demo.json'].

, assuming the full path is relative to the build root, but any of the suggested options sgtm 👍

PR submitted: https://github.com/pantsbuild/pants/pull/13914

awesome, thank you!! will try it out today