[feat]: [CI-15039]: Support secret decryption on delegate for DLC (#51)

anurag-harness · web-flow · commit ff923bf609b8 · 2025-03-03T11:45:49.000-08:00
* [feat]: [CI-15039]: Support secret decryption on delegate for DLC

* Update docker.go

* Update docker.go

* Update docker_test.go

* Update docker_test.go
diff --git a/app.go b/app.go
@@ -395,6 +395,21 @@ func Run() {
 			Usage:  "Buildkit response header timeout override. Default value is 30s",
 			EnvVar: "PLUGIN_BUILDKIT_RESPONSE_HEADER_TIMEOUT",
 		},
+		cli.StringFlag{
+			Name:   "harness-self-hosted-s3-access-key",
+			Usage:  "build target",
+			EnvVar: "PLUGIN_HARNESS_SELF_HOSTED_S3_ACCESS_KEY",
+		},
+		cli.StringFlag{
+			Name:   "harness-self-hosted-s3-secret-key",
+			Usage:  "build target",
+			EnvVar: "PLUGIN_HARNESS_SELF_HOSTED_S3_SECRET_KEY",
+		},
+		cli.StringFlag{
+			Name:   "harness-self-hosted-gcp-json-key",
+			Usage:  "build target",
+			EnvVar: "PLUGIN_HARNESS_SELF_HOSTED_GCP_JSON_KEY",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -424,35 +439,38 @@ func run(c *cli.Context) error {
 		ArtifactFile:     c.String("artifact-file"),
 		CacheMetricsFile: c.String("cache-metrics-file"),
 		Build: Build{
-			Remote:              c.String("remote.url"),
-			Name:                c.String("commit.sha"),
-			Dockerfile:          c.String("dockerfile"),
-			Context:             c.String("context"),
-			Tags:                c.StringSlice("tags"),
-			Args:                c.StringSlice("args"),
-			ArgsEnv:             c.StringSlice("args-from-env"),
-			ArgsNew:             c.Generic("args-new").(*CustomStringSliceFlag).GetValue(),
-			IsMultipleBuildArgs: c.Bool("plugin-multiple-build-agrs"),
-			Target:              c.String("target"),
-			Squash:              c.Bool("squash"),
-			Pull:                c.BoolT("pull-image"),
-			CacheFrom:           c.Generic("cache-from").(*CustomStringSliceFlag).GetValue(),
-			CacheTo:             c.Generic("cache-to").(*CustomStringSliceFlag).GetValue(),
-			Compress:            c.Bool("compress"),
-			Repo:                c.String("repo"),
-			Labels:              c.StringSlice("custom-labels"),
-			LabelSchema:         c.StringSlice("label-schema"),
-			AutoLabel:           c.BoolT("auto-label"),
-			Link:                c.String("link"),
-			NoCache:             c.Bool("no-cache"),
-			Secret:              c.String("secret"),
-			SecretEnvs:          c.StringSlice("secrets-from-env"),
-			SecretFiles:         c.StringSlice("secrets-from-file"),
-			AddHost:             c.StringSlice("add-host"),
-			Quiet:               c.Bool("quiet"),
-			Platform:            c.String("platform"),
-			SSHAgentKey:         c.String("ssh-agent-key"),
-			BuildxLoad:          c.Bool("buildx-load"),
+			Remote:                       c.String("remote.url"),
+			Name:                         c.String("commit.sha"),
+			Dockerfile:                   c.String("dockerfile"),
+			Context:                      c.String("context"),
+			Tags:                         c.StringSlice("tags"),
+			Args:                         c.StringSlice("args"),
+			ArgsEnv:                      c.StringSlice("args-from-env"),
+			ArgsNew:                      c.Generic("args-new").(*CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:          c.Bool("plugin-multiple-build-agrs"),
+			Target:                       c.String("target"),
+			Squash:                       c.Bool("squash"),
+			Pull:                         c.BoolT("pull-image"),
+			CacheFrom:                    c.Generic("cache-from").(*CustomStringSliceFlag).GetValue(),
+			CacheTo:                      c.Generic("cache-to").(*CustomStringSliceFlag).GetValue(),
+			Compress:                     c.Bool("compress"),
+			Repo:                         c.String("repo"),
+			Labels:                       c.StringSlice("custom-labels"),
+			LabelSchema:                  c.StringSlice("label-schema"),
+			AutoLabel:                    c.BoolT("auto-label"),
+			Link:                         c.String("link"),
+			NoCache:                      c.Bool("no-cache"),
+			Secret:                       c.String("secret"),
+			SecretEnvs:                   c.StringSlice("secrets-from-env"),
+			SecretFiles:                  c.StringSlice("secrets-from-file"),
+			AddHost:                      c.StringSlice("add-host"),
+			Quiet:                        c.Bool("quiet"),
+			Platform:                     c.String("platform"),
+			SSHAgentKey:                  c.String("ssh-agent-key"),
+			BuildxLoad:                   c.Bool("buildx-load"),
+			HarnessSelfHostedS3AccessKey: c.String("harness-self-hosted-s3-access-key"),
+			HarnessSelfHostedS3SecretKey: c.String("harness-self-hosted-s3-secret-key"),
+			HarnessSelfHostedGcpJsonKey:  c.String("harness-self-hosted-gcp-json-key"),
 		},
 		Daemon: Daemon{
 			Registry:         c.String("docker.registry"),
diff --git a/docker.go b/docker.go
@@ -2,6 +2,7 @@ package docker
 
 import (
 	"bytes"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -60,36 +61,39 @@ type (
 
 	// Build defines Docker build parameters.
 	Build struct {
-		Remote              string   // Git remote URL
-		Name                string   // Docker build using default named tag
-		Dockerfile          string   // Docker build Dockerfile
-		Context             string   // Docker build context
-		Tags                []string // Docker build tags
-		Args                []string // Docker build args
-		ArgsEnv             []string // Docker build args from env
-		ArgsNew             []string // Docker build args with comma seperated values
-		IsMultipleBuildArgs bool     // env variable for fall back
-		Target              string   // Docker build target
-		Squash              bool     // Docker build squash
-		Pull                bool     // Docker build pull
-		CacheFrom           []string // Docker buildx cache-from
-		CacheTo             []string // Docker buildx cache-to
-		Compress            bool     // Docker build compress
-		Repo                string   // Docker build repository
-		LabelSchema         []string // label-schema Label map
-		AutoLabel           bool     // auto-label bool
-		Labels              []string // Label map
-		Link                string   // Git repo link
-		NoCache             bool     // Docker build no-cache
-		Secret              string   // secret keypair
-		SecretEnvs          []string // Docker build secrets with env var as source
-		SecretFiles         []string // Docker build secrets with file as source
-		AddHost             []string // Docker build add-host
-		Quiet               bool     // Docker build quiet
-		Platform            string   // Docker build platform
-		SSHAgentKey         string   // Docker build ssh agent key
-		SSHKeyPath          string   // Docker build ssh key path
-		BuildxLoad          bool     // Docker buildx --load
+		Remote                       string   // Git remote URL
+		Name                         string   // Docker build using default named tag
+		Dockerfile                   string   // Docker build Dockerfile
+		Context                      string   // Docker build context
+		Tags                         []string // Docker build tags
+		Args                         []string // Docker build args
+		ArgsEnv                      []string // Docker build args from env
+		ArgsNew                      []string // Docker build args with comma seperated values
+		IsMultipleBuildArgs          bool     // env variable for fall back
+		Target                       string   // Docker build target
+		Squash                       bool     // Docker build squash
+		Pull                         bool     // Docker build pull
+		CacheFrom                    []string // Docker buildx cache-from
+		CacheTo                      []string // Docker buildx cache-to
+		Compress                     bool     // Docker build compress
+		Repo                         string   // Docker build repository
+		LabelSchema                  []string // label-schema Label map
+		AutoLabel                    bool     // auto-label bool
+		Labels                       []string // Label map
+		Link                         string   // Git repo link
+		NoCache                      bool     // Docker build no-cache
+		Secret                       string   // secret keypair
+		SecretEnvs                   []string // Docker build secrets with env var as source
+		SecretFiles                  []string // Docker build secrets with file as source
+		AddHost                      []string // Docker build add-host
+		Quiet                        bool     // Docker build quiet
+		Platform                     string   // Docker build platform
+		SSHAgentKey                  string   // Docker build ssh agent key
+		SSHKeyPath                   string   // Docker build ssh key path
+		BuildxLoad                   bool     // Docker buildx --load
+		HarnessSelfHostedS3AccessKey string   // Harness self-hosted s3 access key
+		HarnessSelfHostedS3SecretKey string   // Harness self-hosted s3 secret key
+		HarnessSelfHostedGcpJsonKey  string   // Harness self hosted gcp json region
 	}
 
 	// Plugin defines the Docker plugin parameters.
@@ -562,6 +566,8 @@ func commandBuildx(build Build, builder Builder, dryrun bool, metadataFile strin
 		"-f", build.Dockerfile,
 	}
 
+	sanitizeCacheCommand(&build)
+
 	if builder.Name != "" {
 		args = append(args, "--builder", builder.Name)
 	}
@@ -664,6 +670,46 @@ func commandBuildx(build Build, builder Builder, dryrun bool, metadataFile strin
 	return exec.Command(dockerExe, args...)
 }
 
+func sanitizeCacheCommand(build *Build) {
+	// Helper function to sanitize cache arguments
+	sanitizeCacheArgs := func(args []string) []string {
+		for i, arg := range args {
+
+			// Replace access_key_id if placeholder exists and the actual key is not empty
+			if strings.Contains(arg, "access_key_id=harness_placeholder_aws_creds") && build.HarnessSelfHostedS3AccessKey != "" {
+				arg = strings.Replace(arg, "access_key_id=harness_placeholder_aws_creds", "access_key_id="+build.HarnessSelfHostedS3AccessKey, 1)
+			}
+
+			// Replace secret_access_key if placeholder exists and the actual key is not empty
+			if strings.Contains(arg, "secret_access_key=harness_placeholder_aws_creds") && build.HarnessSelfHostedS3SecretKey != "" {
+				arg = strings.Replace(arg, "secret_access_key=harness_placeholder_aws_creds", "secret_access_key="+build.HarnessSelfHostedS3SecretKey, 1)
+			}
+
+			// Handle gcp_json_key
+			if strings.Contains(arg, "gcp_json_key=harness_placeholder_gcp_creds") {
+				if build.HarnessSelfHostedGcpJsonKey != "" {
+					// Base64 encode the GCP JSON key
+					encodedGCPJsonKey := base64.StdEncoding.EncodeToString([]byte(build.HarnessSelfHostedGcpJsonKey))
+					// Replace the placeholder with the base64-encoded GCP JSON key
+					arg = strings.Replace(arg, "gcp_json_key=harness_placeholder_gcp_creds", "gcp_json_key="+encodedGCPJsonKey, 1)
+				} else {
+					// Remove the gcp_json_key substring if the actual key is empty
+					arg = strings.Replace(arg, ",gcp_json_key=harness_placeholder_gcp_creds", "", 1)
+					arg = strings.Replace(arg, "gcp_json_key=harness_placeholder_gcp_creds,", "", 1)
+					arg = strings.Replace(arg, "gcp_json_key=harness_placeholder_gcp_creds", "", 1)
+				}
+			}
+
+			// Update the argument
+			args[i] = arg
+		}
+		return args
+	}
+
+	build.CacheFrom = sanitizeCacheArgs(build.CacheFrom)
+	build.CacheTo = sanitizeCacheArgs(build.CacheTo)
+}
+
 func getSecretStringCmdArg(kvp string) (string, error) {
 	return getSecretCmdArg(kvp, false)
 }
diff --git a/docker_test.go b/docker_test.go
@@ -220,6 +220,89 @@ func TestCommandBuildx(t *testing.T) {
 	}
 }
 
+func TestSanitizeCacheCommand(t *testing.T) {
+	tests := []struct {
+		name              string
+		build             Build
+		expectedCacheFrom []string
+		expectedCacheTo   []string
+	}{
+		{
+			name: "Replace AWS placeholders in CacheFrom and CacheTo",
+			build: Build{
+				CacheFrom:                    []string{"type=s3,access_key_id=harness_placeholder_aws_creds,secret_access_key=harness_placeholder_aws_creds"},
+				CacheTo:                      []string{"type=s3,access_key_id=harness_placeholder_aws_creds,secret_access_key=harness_placeholder_aws_creds"},
+				HarnessSelfHostedS3AccessKey: "actual_access_key",
+				HarnessSelfHostedS3SecretKey: "actual_secret_key",
+			},
+			expectedCacheFrom: []string{"type=s3,access_key_id=actual_access_key,secret_access_key=actual_secret_key"},
+			expectedCacheTo:   []string{"type=s3,access_key_id=actual_access_key,secret_access_key=actual_secret_key"},
+		},
+		{
+			name: "Replace GCP placeholder in CacheFrom",
+			build: Build{
+				CacheFrom:                   []string{"type=gcs,gcp_json_key=harness_placeholder_gcp_creds"},
+				CacheTo:                     []string{},
+				HarnessSelfHostedGcpJsonKey: "actual_gcp_key",
+			},
+			expectedCacheFrom: []string{"type=gcs,gcp_json_key=YWN0dWFsX2djcF9rZXk="},
+			expectedCacheTo:   []string{},
+		},
+		{
+			name: "Remove GCP placeholder when key is empty",
+			build: Build{
+				CacheFrom:                   []string{"type=gcs,gcp_json_key=harness_placeholder_gcp_creds"},
+				CacheTo:                     []string{"type=gcs,bucket=test,gcp_json_key=harness_placeholder_gcp_creds,prefix=dlc"},
+				HarnessSelfHostedGcpJsonKey: "",
+			},
+			expectedCacheFrom: []string{"type=gcs"},
+			expectedCacheTo:   []string{"type=gcs,bucket=test,prefix=dlc"},
+		},
+		{
+			name: "Multiple placeholders in CacheFrom",
+			build: Build{
+				CacheFrom:                    []string{"type=gcs,gcp_json_key=harness_placeholder_gcp_creds,access_key_id=harness_placeholder_aws_creds,secret_access_key=harness_placeholder_aws_creds"},
+				CacheTo:                      []string{},
+				HarnessSelfHostedS3AccessKey: "actual_access_key",
+				HarnessSelfHostedS3SecretKey: "actual_secret_key",
+				HarnessSelfHostedGcpJsonKey:  "actual_gcp_key",
+			},
+			expectedCacheFrom: []string{"type=gcs,gcp_json_key=YWN0dWFsX2djcF9rZXk=,access_key_id=actual_access_key,secret_access_key=actual_secret_key"},
+			expectedCacheTo:   []string{},
+		},
+		{
+			name: "No placeholders in CacheFrom and CacheTo",
+			build: Build{
+				CacheFrom: []string{"type=s3,bucket=test"},
+				CacheTo:   []string{"type=gcs,bucket=test"},
+			},
+			expectedCacheFrom: []string{"type=s3,bucket=test"},
+			expectedCacheTo:   []string{"type=gcs,bucket=test"},
+		},
+		{
+			name: "Empty CacheFrom and CacheTo",
+			build: Build{
+				CacheFrom: []string{},
+				CacheTo:   []string{},
+			},
+			expectedCacheFrom: []string{},
+			expectedCacheTo:   []string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sanitizeCacheCommand(&tt.build)
+			if !reflect.DeepEqual(tt.build.CacheFrom, tt.expectedCacheFrom) {
+				t.Errorf("CacheFrom = %v, want %v", tt.build.CacheFrom, tt.expectedCacheFrom)
+			}
+			if !reflect.DeepEqual(tt.build.CacheTo, tt.expectedCacheTo) {
+				t.Errorf("CacheTo = %v, want %v", tt.build.CacheTo, tt.expectedCacheTo)
+			}
+		})
+	}
+}
+
 func TestGetDigest(t *testing.T) {
 
 	tcs := []struct {
