Add support for --secret option for buildkit support.

[ehengao]

Signed-off-by: Heng GAO [email protected]

Description

I add a flag in the build command called --buildkit-secret to support one of the docker buildkit
option described in here:
https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information

The reason for this change is because i have this function depends on a private pypi repository which require senstive access information. To avoid put my credentials into the images, i decided to make this change to take the benifit of using docker buildkit to protect my secrets.

The flag added to the --buildkit-secret is same as the docker build --secret, i have successfully built this change and applied it locally to create a image using following command:

DOCKER_BUILDKIT=1 faas-cli build --no-cache --buildkit-secret id=netrc,src=${HOME}/.netrc -f hello.yml

And in my dockerfile, i need to specify following changes to make this work:

# syntax = docker/dockerfile:1.0-experimental
FROM openfaas/of-watchdog:0.7.2 as watchdog
FROM python:3.8-slim

...

RUN --mount=type=secret,id=netrc,dst=/root/.netrc pip install -r requirements.txt --extra-index-url ${EXTRA_INDEX_URL}

Motivation and Context

This change is required because user's function might have dependencies that hosted on private pypi or gitlab, this change will help user to built their functions more securely.

• I have raised an issue to propose this change (required)
  Resolves: Support for buildkit --secret option #785

How Has This Been Tested?

New testing option added in the Test_buildFlagSlice to verify that the buildFlagSlice function can create the docker command flag correctly, and add a new testing function to make sure the docker command can be generated correctly.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have signed-off my commits with git commit -s
• I have added tests to cover my changes.
• All new and existing tests passed.

[LucasRoesler]

@ehengao i am not sure we are ready to merge this yet because we want to consider if there is a generic way to support a wider range of flags. Take a look at #785 (comment) and let us know what you think. Thanks

[talhof8]

@LucasRoesler Any news or other plans to support the new Docker BuildKit?

[LucasRoesler]

@talhof8 the design conversation is in #785 and we need to get @alexellis to approve

[alexellis]

We have gone for a simpler approach, and are validating it with OpenFaaS Pro customers.

Should anyone want to try this out, please contact us via the usual channels for customers.

[alexellis]

/lock: resolved