From 22f1b21f2985a626cbd8e642ff4836face9dc5e9 Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 13 Dec 2024 18:12:01 +0530 Subject: [PATCH 1/4] Added: --secret flag so that the hardcoded secret is injected in container as env variable --- .github/scripts/docker-create.sh | 55 +++++++++++++------------------- Dockerfile | 9 ++++++ Dockerfile_webdesktop | 7 ++++ Dockerfile_webdesktopk8s | 7 ++++ 4 files changed, 46 insertions(+), 32 deletions(-) diff --git a/.github/scripts/docker-create.sh b/.github/scripts/docker-create.sh index dd0e27e55..219b8e147 100755 --- a/.github/scripts/docker-create.sh +++ b/.github/scripts/docker-create.sh @@ -352,34 +352,35 @@ build_update_pom() { create_containers() { echo "Creating containers" + SECRET_VALUE="youCantHandleThisSecret" if [[ "$script_mode" == "publish" ]]; then - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. cd ../.. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --push . - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --push . - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:$tag -f Dockerfile_webdesktopk8s --push . - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:latest -f Dockerfile_webdesktopk8s --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --secret id=mysecret,env=SECRET_VALUE --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --secret id=mysecret,env=SECRET_VALUE --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:$tag -f Dockerfile_webdesktopk8s --secret id=mysecret,env=SECRET_VALUE --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:latest -f Dockerfile_webdesktopk8s --secret id=mysecret,env=SECRET_VALUE --push . cd .github/scripts elif [[ "$script_mode" == "test" ]]; then - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. else if [[ "$springProfile" != "All" ]]; then - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-$springProfile --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=$springProfile" --load ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-$springProfile --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=$springProfile" --load --secret id=mysecret,env=SECRET_VALUE ./../../. else - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load ./../../. - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --load ./../../. - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --load ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. fi fi } @@ -452,14 +453,4 @@ test() { } local_extra_info -check_correct_launch_location -check_os -check_required_install -download_dot_net_binaries -generate_test_data -build_update_pom -create_containers -restore_temp_change -commit_and_tag -echo_next_steps -test +check_co \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 81883f0ff..1144ceb1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,15 @@ RUN echo "$argBasedPassword" RUN apk add --no-cache libstdc++ icu-libs +# Create the /app directory +RUN mkdir -p /app + +# Use a separate RUN command for --mount +RUN --mount=type=secret,id=mysecret \ + cat /run/secrets/mysecret > /app/secret.txt + +RUN ls -l /app && cat /app/secret.txt + #RUN useradd -u 2000 -m wrongsecrets RUN adduser -u 2000 -D wrongsecrets USER wrongsecrets diff --git a/Dockerfile_webdesktop b/Dockerfile_webdesktop index ba3dfc9e4..1bf54c443 100644 --- a/Dockerfile_webdesktop +++ b/Dockerfile_webdesktop @@ -28,6 +28,13 @@ RUN \ export PATH="$PATH:/config/.dotnet/tools" &&\ dotnet tool install ilspycmd --version 9.0.0.7660-preview2 --tool-path /etc/dotnet/tools +# Add secret handling for Kubernetes-specific Docker builds +# Create the /app directory to store the secret +RUN mkdir -p /app +# The secret will be written to a file for the challenge +RUN --mount=type=secret,id=mysecret \ + cat /run/secrets/mysecret > /var/tmp/wrongsecrets/secret.txt + WORKDIR /config/Desktop COPY src/main/resources/executables/*linux-mus* /var/tmp/wrongsecrets/ diff --git a/Dockerfile_webdesktopk8s b/Dockerfile_webdesktopk8s index 179c3fde1..f44623918 100644 --- a/Dockerfile_webdesktopk8s +++ b/Dockerfile_webdesktopk8s @@ -33,6 +33,13 @@ RUN \ export PATH="$PATH:/config/.dotnet/tools" &&\ dotnet tool install ilspycmd --version 9.0.0.7660-preview2 --tool-path /etc/dotnet/tools +# Add a secret using --mount and write it to a specific file path for the challenge +# Create the /app directory to store the secret +RUN mkdir -p /app +# This demonstrates how secrets can be mishandled during Docker builds +RUN --mount=type=secret,id=mysecret \ + cat /run/secrets/mysecret > /var/tmp/wrongsecrets/secret.txt + WORKDIR /config/Desktop COPY src/main/resources/executables/*linux-mus* /var/tmp/wrongsecrets/ From f0ed8fc7cd08eb43dc0aa78c434f39e5f1e97ec1 Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 13 Dec 2024 18:13:44 +0530 Subject: [PATCH 2/4] Fix: Updated Dockerfile --- Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1144ceb1c..888a9d8ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,8 +24,6 @@ RUN mkdir -p /app RUN --mount=type=secret,id=mysecret \ cat /run/secrets/mysecret > /app/secret.txt -RUN ls -l /app && cat /app/secret.txt - #RUN useradd -u 2000 -m wrongsecrets RUN adduser -u 2000 -D wrongsecrets USER wrongsecrets From 2721de2c9a364b79ba0c03f7b7afec4fa462b9bc Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 13 Dec 2024 18:29:36 +0530 Subject: [PATCH 3/4] Fix: Updated Dockerfile and docker-create.sh --- .github/scripts/docker-create.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/scripts/docker-create.sh b/.github/scripts/docker-create.sh index 219b8e147..5aba18763 100755 --- a/.github/scripts/docker-create.sh +++ b/.github/scripts/docker-create.sh @@ -453,4 +453,14 @@ test() { } local_extra_info -check_co \ No newline at end of file +check_correct_launch_location +check_os +check_required_install +download_dot_net_binaries +generate_test_data +build_update_pom +create_containers +restore_temp_change +commit_and_tag +echo_next_steps +test From 8951187f4785a816af73fad234d2a29159e8af44 Mon Sep 17 00:00:00 2001 From: Shubham Patel <87226371+Shubham-Patel07@users.noreply.github.com> Date: Fri, 13 Dec 2024 22:46:37 +0530 Subject: [PATCH 4/4] Update docker-create.sh to fix env-var injection --- .github/scripts/docker-create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/docker-create.sh b/.github/scripts/docker-create.sh index 5aba18763..3e69b84e6 100755 --- a/.github/scripts/docker-create.sh +++ b/.github/scripts/docker-create.sh @@ -352,7 +352,7 @@ build_update_pom() { create_containers() { echo "Creating containers" - SECRET_VALUE="youCantHandleThisSecret" + export SECRET_VALUE="youCantHandleThisSecret" if [[ "$script_mode" == "publish" ]]; then docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../.