Fix #60: Secrets support in container build args

Author: akclace

internal/app/container_manager.go

@@ -143,6 +143,15 @@ func NewContainerManager(logger *types.Logger, app *App, containerFile string,
 		cargs_map[k] = v
 	}
 
+	// Evaluate secrets in the build args
+	for k, v := range cargs_map {
+		val, err := app.secretEvalFunc(secretsAllowed, app.AppConfig.Security.DefaultSecretsProvider, v)
+		if err != nil {
+			return nil, fmt.Errorf("error evaluating secret for %s: %w", k, err)
+		}
+		cargs_map[k] = val
+	}
+
 	m := &ContainerManager{
 		Logger:          logger,
 		app:             app,

tests/run_cli_tests.sh

@@ -216,6 +216,7 @@ elif [[ -z "$CL_CONTAINER_COMMANDS" ]]; then
   CL_CONTAINER_COMMANDS="docker podman"
 fi
 
+export PYTHON_VERSION=3.12.4-slim
 port_base=9000
 for cmd in ${CL_CONTAINER_COMMANDS}; do
     http_port=`expr $port_base + 1`
@@ -231,6 +232,7 @@ port = $https_port
 app_default_auth_type="none"
 [system]
 container_command="$cmd"
+[secret.env]
 EOF
     rm -rf metadata run/clace.sock
     CL_CONFIG_FILE=config_container.toml GOCOVERDIR=$GOCOVERDIR ../clace server start &

tests/test_containers.yaml

@@ -9,7 +9,7 @@ tests:
   container0020: # setup flask dev app
     command: ../clace app create --dev --spec python-flask --approve ./flaskapp /cont_flaskdev
   container0030: # setup flask prod app
-    command: ../clace app create --spec python-flask --carg PYTHON_VERSION=3.12.4-slim --copt cpu-shares=1000 --approve ./flaskapp /cont_flaskprod
+    command: ../clace app create --spec python-flask --carg PYTHON_VERSION='{{secret_from "env" "PYTHON_VERSION"}}' --copt cpu-shares=1000 --approve ./flaskapp /cont_flaskprod
   container0031: # invalid python version carg fails
     command: ../clace app create --spec python-flask --cvol /tmp:/atmp --cvol /testvol --container-arg PYTHON_VERSION=4invalid-slim --approve ./flaskapp /cont_flaskdev2
   container0032: # check curl