Mount secrets during build step

How Do I?
1

Our Docker images are usually built in Github actions. They sometimes need to mount secrets during build time. I’ve included an example below:

RUN --mount=type=secret,id=github_token \
    composer config --global github-oauth.github.com $(cat /run/secrets/github_token) && \
    composer install \
      --ignore-platform-reqs \
      --no-interaction \
      --no-plugins \
      --no-scripts \
      --prefer-dist

I’m trying to figure out how I can get this work with the oktetoy.yaml file. Is this possible?

2

Hi @boedy,

You can pass build arguments to the okteto cli as you would to a docker build:

okteto build --secret id=github_token,src=qwerty -t my-image .

You can also define you secrets in the okteto.yml file:

build:
  api:
    ...
    secrets:
      github_token: qwerty

More info in the docs: Okteto Manifest | Okteto Documentation

Hope it helps!
Francisco

3

Thanks for the prompt reply @maroshii . It seems it needs to be a file? Can a secret stored in Okteto be used? Something in in the lines of:

build:
  api:
    ...
    secrets:
      github_token: $GITHUB_TOKEN
4

According to the docs $GITHUB_TOKEN should be defined in the environment so you should be able to export GITHUB_TOKEN=asdfg before running the build:

  • secrets: list of secrets exposed to the build. The value of each secret refers to a file. Okteto will resolve references containing a $ sign in this file to the environment variable value on the machine okteto is running on.

Okteto secrets are runtime secrets so they are not available at build time