From b5afdec47c8de6de9325d74751c2f15a988ac450 Mon Sep 17 00:00:00 2001
From: coryb <cbennett@netflix.com>
Date: Tue, 31 Jan 2023 15:31:51 -0800
Subject: [PATCH] do not mount secrets that are optional and missing from solve
 opts

Signed-off-by: coryb <cbennett@netflix.com>
---
 client/client_test.go            | 18 ++++++++++++++++--
 solver/llbsolver/mounts/mount.go |  6 +++---
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/client/client_test.go b/client/client_test.go
index 1fb1a3a5b002..434dfa0e826a 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -1139,9 +1139,9 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 	}, nil)
 	require.NoError(t, err)
 
-	// test optional
+	// test optional, mount should not exist when secret not present in SolveOpt
 	st = llb.Image("busybox:latest").
-		Run(llb.Shlex(`echo secret2`), llb.AddSecret("/run/secrets/mysecret2", llb.SecretOptional))
+		Run(llb.Shlex(`test ! -f /run/secrets/mysecret2`), llb.AddSecret("/run/secrets/mysecret2", llb.SecretOptional))
 
 	def, err = st.Marshal(sb.Context())
 	require.NoError(t, err)
@@ -1178,6 +1178,20 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 		})},
 	}, nil)
 	require.NoError(t, err)
+
+	// test empty cert still creates secret file
+	st = llb.Image("busybox:latest").
+		Run(llb.Shlex(`test -f /run/secrets/mysecret5`), llb.AddSecret("/run/secrets/mysecret5", llb.SecretID("mysecret")))
+
+	def, err = st.Marshal(sb.Context())
+	require.NoError(t, err)
+
+	_, err = c.Solve(sb.Context(), def, SolveOpt{
+		Session: []session.Attachable{secretsprovider.FromMap(map[string][]byte{
+			"mysecret": []byte(""),
+		})},
+	}, nil)
+	require.NoError(t, err)
 }
 
 func testSecretEnv(t *testing.T, sb integration.Sandbox) {
diff --git a/solver/llbsolver/mounts/mount.go b/solver/llbsolver/mounts/mount.go
index 37bc8a602d71..2cfeaae7a213 100644
--- a/solver/llbsolver/mounts/mount.go
+++ b/solver/llbsolver/mounts/mount.go
@@ -251,14 +251,14 @@ func (mm *MountManager) getSecretMountable(ctx context.Context, m *pb.Mount, g s
 	err = mm.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
 		dt, err = secrets.GetSecret(ctx, caller, id)
 		if err != nil {
-			if errors.Is(err, secrets.ErrNotFound) && m.SecretOpt.Optional {
-				return nil
-			}
 			return err
 		}
 		return nil
 	})
 	if err != nil {
+		if errors.Is(err, secrets.ErrNotFound) && m.SecretOpt.Optional {
+			return nil, nil
+		}
 		return nil, err
 	}
 	return &secretMount{mount: m, data: dt, idmap: mm.cm.IdentityMapping()}, nil