solver: fix reading secrets from any session

The current logic was incorrect in some places so that if first
session randomly chosen by `Any()` returned NotFound then other
sessions were not attempted.

For the main use case of mounting secrets as files the logic
was correct, but it was incorrect for example for the case of
adding secrets as environment variables.

Signed-off-by: Tonis Tiigi <[email protected]>

Author: tonistiigi

frontend/gateway/container/container.go

@@ -389,14 +389,11 @@ func (gwCtr *gatewayContainer) loadSecretEnv(ctx context.Context, secretEnv []*p
 		err = gwCtr.sm.Any(ctx, gwCtr.group, func(ctx context.Context, _ string, caller session.Caller) error {
 			dt, err = secrets.GetSecret(ctx, caller, id)
 			if err != nil {
-				if errors.Is(err, secrets.ErrNotFound) && sopt.Optional {
-					return nil
-				}
 				return err
 			}
 			return nil
 		})
-		if err != nil {
+		if err != nil && !(errors.Is(err, secrets.ErrNotFound) && sopt.Optional) {
 			return nil, err
 		}
 		out = append(out, fmt.Sprintf("%s=%s", sopt.Name, string(dt)))

solver/llbsolver/ops/exec.go

@@ -559,14 +559,11 @@ func (e *ExecOp) loadSecretEnv(ctx context.Context, g session.Group) ([]string,
 		err = e.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
 			dt, err = secrets.GetSecret(ctx, caller, id)
 			if err != nil {
-				if errors.Is(err, secrets.ErrNotFound) && sopt.Optional {
-					return nil
-				}
 				return err
 			}
 			return nil
 		})
-		if err != nil {
+		if err != nil && !(errors.Is(err, secrets.ErrNotFound) && sopt.Optional) {
 			return nil, err
 		}
 		out = append(out, fmt.Sprintf("%s=%s", sopt.Name, string(dt)))

source/git/source.go

@@ -256,9 +256,11 @@ func (gs *gitSourceHandler) getAuthToken(ctx context.Context, g session.Group) e
 	if err != nil {
 		return err
 	}
-	return gs.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
+	err = gs.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
+		var err error
 		for _, s := range sec {
-			dt, err := secrets.GetSecret(ctx, caller, s.name)
+			var dt []byte
+			dt, err = secrets.GetSecret(ctx, caller, s.name)
 			if err != nil {
 				if errors.Is(err, secrets.ErrNotFound) {
 					continue
@@ -271,8 +273,12 @@ func (gs *gitSourceHandler) getAuthToken(ctx context.Context, g session.Group) e
 			gs.authArgs = []string{"-c", "http." + tokenScope(gs.src.Remote) + ".extraheader=Authorization: " + string(dt)}
 			break
 		}
-		return nil
+		return err
 	})
+	if errors.Is(err, secrets.ErrNotFound) {
+		err = nil
+	}
+	return err
 }
 
 func (gs *gitSourceHandler) mountSSHAuthSock(ctx context.Context, sshID string, g session.Group) (string, func() error, error) {

source/http/source.go

@@ -513,20 +513,16 @@ func (hs *httpSourceHandler) newHTTPRequest(ctx context.Context, g session.Group
 	}
 
 	if hs.src.AuthHeaderSecret != "" {
+		var dt []byte
 		err := hs.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
-			dt, err := secrets.GetSecret(ctx, caller, hs.src.AuthHeaderSecret)
-			if err != nil {
-				return err
-			}
-
-			req.Header.Set("Authorization", string(dt))
-
-			return nil
+			var err error
+			dt, err = secrets.GetSecret(ctx, caller, hs.src.AuthHeaderSecret)
+			return err
 		})
-
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to retrieve HTTP auth secret %s", hs.src.AuthHeaderSecret)
 		}
+		req.Header.Set("Authorization", string(dt))
 	}
 
 	return req.WithContext(ctx), nil