Issue with Secrets in Docker Compose

ryanbas21 · May 31, 2022, 5:32pm

Hi,
I’m struggling getting secrets correctly injected into webpack builds with my docker-compose setup.

I have a base image that builds all my applications and services. I build this in my okteto-pipeline.yml like so:

deploy:
  - okteto build -t okteto.dev/base . # base image that needs secrets
  - okteto build -t okteto.dev/react:${OKTETO_GIT_COMMIT} samples/reactjs-todo
  - okteto build -t okteto.dev/angular:${OKTETO_GIT_COMMIT} samples/angular-todo
  - okteto build -t okteto.dev/embedded-login:${OKTETO_GIT_COMMIT} samples/embedded-login
  - okteto build -t okteto.dev/central-login:${OKTETO_GIT_COMMIT} samples/central-login
  - okteto build -t okteto.dev/embedded-login:${OKTETO_GIT_COMMIT} samples/embedded-login
  - okteto stack deploy --build

I then define the ARG in the image like so

ARG AM_URL
ARG API_URL
ARG DEBUGGER_OFF
ARG REALM_PATH
ARG JOURNEY_LOGIN

But my base image does not seem to get the secrets here from okteto. I have undefined values in my builds still. I must be missing a step but I thought ARG would be the correct way to derive secrets for builds that have to happen at the image build time.

I have also tried to reassign the variables as ENV from the ARG value to no luck.

This base image is not “directly” called in my docker-compose file, but it is consumed by the images that are called in my docker-compose file. Essentially I need the secrets from okteto to get built into this image by okteto, and then call my docker compose file for building/deploying

ryanbas21 · May 31, 2022, 7:52pm

If I use the envsubst command to populate an .env file, it seems to work best. This is what i’m using now, but maybe the above could be helpful for someone else

pchico83 · June 1, 2022, 8:23am

Hi @ryanbas21,
In order to pass secrets to your build, you need to use the flag --build-arg AM_URL ={AM_URL }.
Also, I would recommend moving to the new okteto manifest, which has its own section for defining builds:

ryanbas21 · July 5, 2022, 2:41am

I’ve tried this and still can’t get it to work.

# The deploy section defines how to deploy your development environment
# More info: https://www.okteto.com/docs/reference/manifest/#deploy
deploy:
  compose:
    file: docker-compose.yml
  commands:
    - envsubst < .env.example > .env
    - okteto build -t okteto.dev/base:${OKTETO_GIT_COMMIT} --build-arg AM_URL=$AM_URL --build-arg DEBUGGER_OFF=$DEBUGGER_OFF --build-arg  REALM_PATH=$REALM_PATH --build-arg JOURNEY_REGISTER=$JOURNEY_REGISTER --build-arg WEB_OAUTH_CLIENT=$WEB_OAUTH_CLIENT --build-arg REST_OAUTH_CLIENT=$REST_OAUTH_CLIENT --build-arg REST_OAUTH_SECRET=$REST_OAUTH_SECRET .
    - okteto build -t okteto.dev/react:${OKTETO_GIT_COMMIT} samples/reactjs-todo/Dockerfile
    - okteto build -t okteto.dev/angular:${OKTETO_GIT_COMMIT} samples/angular-todo/Dockerfile
    - okteto build -t okteto.dev/central:${OKTETO_GIT_COMMIT} samples/central-login/Dockerfile
    - okteto build -t okteto.dev/embedded:${OKTETO_GIT_COMMIT} samples/embedded-login/Dockerfile

which includes a long list of build arg secrets.

I have an app defined like so

# The build section defines how to build the images of your development environment
# More info: https://www.okteto.com/docs/reference/manifest/#build
build:
  # You can use the following env vars to refer to this image in your deploy commands:
  #  - OKTETO_BUILD_ANGULAR-TODO_REGISTRY: image registry
  #  - OKTETO_BUILD_ANGULAR-TODO_REPOSITORY: image repo
  #  - OKTETO_BUILD_ANGULAR-TODO_IMAGE: image name
  #  - OKTETO_BUILD_ANGULAR-TODO_TAG: image tag
  angular-todo:
    context: .
    dockerfile: samples/angular-todo/Dockerfile
    target: base
    args:
      AM_URL: $AM_URL
      DEBUGGER_OFF: $DEBUGGER-OFF
      REALM_PATH: $REALM_PATH
      JOURNEY_LOGIN: $JOURNEY_LOGIN
      JOURNEY_REGISTER: $JOURNEY_REGISTER
      WEB_OAUTH_CLIENT: $WEB_OAUTH_CLIENT
      REST_OAUTH_CLIENT: $REST_OAUTH_CLIENT
      REST_OAUTH_SECRET: $REST_OAUTH_SECRET
  # You can use the following env vars to refer to this image in your deploy

which, if i understand, target here refers to my stage that i build.

FROM okteto.dev/base as base

FROM nginx:1.21.6

WORKDIR /usr/share/nginx/html

COPY --from=base /app/builder/dist/samples/angular-todo  .

ENV PORT=80
EXPOSE ${PORT}

now, i’m not sure if dev as written in the docs is supposed to be the as Base part or just the entire “okteto.dev/base”.

But, secrets seem to not inject. My belief is that there is something to do with the image in the registry, and the order which these images are being build, as it doesn’t seem to build my base image first, which is critical.

i’m nearing a loss on this.

gabriel · July 5, 2022, 11:29am

Hey there,

Have you configured the registry secret ?
Ref : Frequently Asked Questions (FAQs) | Okteto Documentation

ryanbas21 · July 5, 2022, 11:25pm

I guess i don’t fully understand this.

If I have a base image, can I not just “build” it as a step in my deployment process? Do I need to publish it and then pull it like this?

pchico83 · July 7, 2022, 7:15am

@ryanbas21 I think there are two issues here. One is how to inject secrets into a Dockerfile. The other one is how and when you should build your base image. Let’s focus on the secrets/dockerfile issue first, did you solve that one?

ryanbas21 · July 8, 2022, 3:19am

I’ve solved all the problems by removing the base image, and secrets inject perfectly fine. If I just build all my apps from scratch (run their own installs, and builds instead of one main install and sharing those node_modules) and don’t share an image, everything works nicely.

If I want to go back to the base image way, i’m guessing i’d have to adjust some things.