refactor: use docker/secrets-engine SDK and writable bind mounts in Dockerfile#529
Open
joe0BAB wants to merge 2 commits into
Open
refactor: use docker/secrets-engine SDK and writable bind mounts in Dockerfile#529joe0BAB wants to merge 2 commits into
joe0BAB wants to merge 2 commits into
Conversation
Replace the tmpfs + rsync pattern in docs-build and docs-validate stages with a writable bind mount (--mount=type=bind,target=.,rw). This avoids copying the full source tree and removes the rsync dependency from the base image. Build output is still exported via /out and scratch stages. Also bump GO_VERSION from 1.25.5 to 1.25.11 to match go.mod's minimum.
Replace the hand-rolled connectRPC-over-Unix-socket implementation in the secret-management package with the public github.com/docker/secrets-engine client SDK. - GetSecrets/GetSecret now use client.New + Resolver.GetSecrets instead of manually constructing HTTP requests, JSON payloads, and the RPC path. - Use realms.DockerMCPDefault for the docker/mcp/** pattern and client.ParsePattern for single-key lookups. - Pin the client to the engine socket via api.DefaultSocketPath(), dropping the local socketPath()/newHTTPClient() helpers. - Return the SDK's client.Envelope directly (ID is now secrets.ID); callers that used the ID as a string now call .ID.String(). - Update the config-validation test fake to serve the real resolver connect protocol so an empty result maps to ErrSecretNotFound (engine reachable, no secrets) rather than a transport error. Bumps the go directive to 1.25.11 (required by the SDK modules) and the Dockerfile GO_VERSION to match. Vendored accordingly.
joe0BAB
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I did
Use the
docker/secrets-engineSDK insecretsengine.go: Replaced the hand-rolled connectRPC-over-Unix-socket implementation in the secret-management package with the publicgithub.com/docker/secrets-engineclient SDK.GetSecrets/GetSecretnow useclient.New+Resolver.GetSecretsinstead of manually constructing HTTP requests, JSON payloads, and the RPC path.realms.DockerMCPDefaultfor thedocker/mcp/**pattern andclient.ParsePatternfor single-key lookups.api.DefaultSocketPath(), dropping the localsocketPath()/newHTTPClient()helpers.client.Envelopedirectly (ID is nowsecrets.ID); callers that used the ID as a string now call.ID.String().ErrSecretNotFound.Replace rsync with writable bind mounts in the Dockerfile: Replaced the tmpfs + rsync pattern in the
docs-buildanddocs-validatestages with a writable bind mount (--mount=type=bind,target=.,rw). Avoids copying the full source tree and removes the rsync dependency from the base image. Build output is still exported via/outand scratch stages.Bump Go version: Bumped the
godirective to 1.25.11 (required by the SDK modules) and the DockerfileGO_VERSIONto match. Vendored accordingly.