在 dockerfile 中使用秘密 [英] Consume secret inside dockerfile

问题描述

是否可以访问 dockerfile 中的机器环境?我正在考虑将秘密作为构建 ARG 传递，如下所示:

Is it possible to access machine environments inside dockerfile? I was thinking passing the SECRET as build ARG, like so:

码头工人撰写:

version: '3.5'
services:
  service:
    ...
    build:
      ...
      args:
        SECRET: ${SECRET}
    ...

码头文件:

FROM image
ARG SECRET
RUN script-${SECRET}

注意:容器是在 kubernetes 中构建的，我无法将任何参数传递给构建命令或执行任何命令.

Note: the container is build in kubernetes, I can not pass any arguments to the build command or perform any command at all.

编辑 1: 可以将 SECRET 作为 ARG 传递，因为这不是敏感数据.我正在使用 SECRETS 访问微服务数据，我只能使用机密存储数据.将其视为机器环境.

Edit 1: It is okay to pass SECRET as ARG because this is not sensitive data. I'm using SECRETS to access micro service data, and I can only store data using secrets. Think of this as machine environment.

编辑 2: 这不是 docker 的问题，而是我正在使用的基础架构，它不允许将任何参数传递给 docker build.

Edit 2: This was not a problem with docker but with the infrastructure that I was working with which does not allow any arguments to be passed to the docker build.

推荐答案

秘密只有在构建完成后才可用.所以答案是否定的，不能在 dockerfile 中使用秘密.您可以在构建完成后使用它们，例如在运行映像时执行的入口点文件中.

Secrets are available only after the build is completed. So the anwser is no, secrets can not be consume inside the dockerfile. You can consume them after the build is complete, for example in an entrypoint file that is executed when the image is run.

这篇关于在 dockerfile 中使用秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！