From c0f8a8314bac305985e9a34b25ea7d0118f24468 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Thu, 14 Apr 2022 01:27:55 +0200
Subject: [PATCH] bake: support compose build secrets

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 bake/compose.go      | 29 +++++++++++++++++++++++++++++
 bake/compose_test.go | 11 +++++++++++
 2 files changed, 40 insertions(+)

diff --git a/bake/compose.go b/bake/compose.go
index aecd88f9..78b1c0c9 100644
--- a/bake/compose.go
+++ b/bake/compose.go
@@ -74,6 +74,16 @@ func ParseCompose(dt []byte) (*Config, error) {
 				dockerfilePath := s.Build.Dockerfile
 				dockerfilePathP = &dockerfilePath
 			}
+
+			var secrets []string
+			for _, bs := range s.Build.Secrets {
+				secret, err := composeToBuildkitSecret(bs, cfg.Secrets[bs.Source])
+				if err != nil {
+					return nil, err
+				}
+				secrets = append(secrets, secret)
+			}
+
 			g.Targets = append(g.Targets, s.Name)
 			t := &Target{
 				Name:       s.Name,
@@ -89,6 +99,7 @@ func ParseCompose(dt []byte) (*Config, error) {
 				})),
 				CacheFrom:   s.Build.CacheFrom,
 				NetworkMode: &s.Build.Network,
+				Secrets:     secrets,
 			}
 			if err = t.composeExtTarget(s.Build.Extensions); err != nil {
 				return nil, err
@@ -209,3 +220,21 @@ func (t *Target) composeExtTarget(exts map[string]interface{}) error {
 	}
 	return nil
 }
+
+// composeToBuildkitSecret converts secret from compose format to buildkit's
+// csv format.
+func composeToBuildkitSecret(inp compose.ServiceSecretConfig, psecret compose.SecretConfig) (string, error) {
+	if psecret.External.External {
+		return "", errors.Errorf("unsupported external secret %s", psecret.Name)
+	}
+
+	var bkattrs []string
+	if inp.Source != "" {
+		bkattrs = append(bkattrs, "id="+inp.Source)
+	}
+	if psecret.File != "" {
+		bkattrs = append(bkattrs, "src="+psecret.File)
+	}
+
+	return strings.Join(bkattrs, ","), nil
+}
diff --git a/bake/compose_test.go b/bake/compose_test.go
index 2cad1f65..d9f88a48 100644
--- a/bake/compose_test.go
+++ b/bake/compose_test.go
@@ -23,6 +23,13 @@ services:
         none
       args:
         buildno: 123
+      secrets:
+        - ENV_TOKEN
+        - aws
+secrets:
+  ENV_TOKEN: {}
+  aws:
+    file: /root/.aws/credentials
 `)
 
 	c, err := ParseCompose(dt)
@@ -46,6 +53,10 @@ services:
 	require.Equal(t, 1, len(c.Targets[1].Args))
 	require.Equal(t, "123", c.Targets[1].Args["buildno"])
 	require.Equal(t, "none", *c.Targets[1].NetworkMode)
+	require.Equal(t, []string{
+		"id=ENV_TOKEN",
+		"id=aws,src=/root/.aws/credentials",
+	}, c.Targets[1].Secrets)
 }
 
 func TestNoBuildOutOfTreeService(t *testing.T) {