Referencing Secrets in a Containerfile

Sometimes you might need to reference a secret directly in your Containerfile. For example, if your build uses cryptographic parameters stored in secrets, you can use the ADDITIONAL_SECRET parameter to customize encryption in your Containerfile. For details, see the buildah-oci-ta task documentation.

Procedure

  1. Create the secret (see Creating task input secrets). In this example, we create a secret with SALT and KEY_HASH keys:

    kind: Secret
apiVersion: v1
metadata:
  name: <your_secret_name>
  namespace: <your_workspace_tenant>
data:
  SALT: 11111111111
  KEY_HASH: 11111111111
type: Opaque

  2. In the build-container task of your Tekton pipeline, set the value of the ADDITIONAL_SECRET parameter to <your_secret_name>:

    # ...
  tasks:
    - name: build-container
      params:
        - name: ADDITIONAL_SECRET
          value: <your_secret_name>
# ...

  3. In the Containerfile, use a RUN command to mount the secret. In this example, we export the content of the mounted files as environment variables for cargo build:

    # Build with secrets
RUN --mount=type=secret,id=<your_secret_name>/SALT \
    --mount=type=secret,id=<your_secret_name>/KEY_HASH \
    export SALT="$(cat /run/secrets/<your_secret_name>/SALT)" && \
    export KEY_HASH="$(cat /run/secrets/<your_secret_name>/KEY_HASH)" && \
    cargo build --release

Only RUN commands are able to reference secrets.