Allow BUILDKIT_SECRET_ and BUILDKIT_SSH params to use credential manager

[mmb]

A lot of users probably store these secrets in a credential manager. The only way I've found to use credential managers with this task is to run another task first that writes environment variables to files in an output. It would be great if there was an easier way. Using params for secrets instead of params pointing to input files seems simpler, more typical for Concourse and discourages bad practices like storing secrets in git.

I believe buildkit will already look up secrets in the environment instead of the filesystem if you pass it something like docker build --secret id=SOME_ENV_VAR. The task could see BUILDKIT_SECRET_SOME_SECRET, set SOME_SECRET when running the build and pass in --secret id=SOME_SECRET.

For BUILDKIT_SSH using params would be easier if it became more like BUILDKIT_SECRET and included the id in the param name (BUILDKIT_SSH_github_ssh_key: ((secret)) instead of BUILDKIT_SSH: github_ssh_key=<PATH-TO-YOUR-KEY>). The task would have to write a file though because I don't think it can use the environment like secrets can.

[ljcorreia]

I completely agree with @mmb as storing secrets in a credential manager is the right thing to do and the recommended way everywhere, not only for Concourse. I've tested the use of docker --secret with values coming from environment variables (Buildkit --secret argument) and it works really well when I build the OCI images locally, so it's a shame that it is not supported for this Concourse Resource. Building the image would be something like: docker build --secret id=some_secret,env=SOME_SECRET ..
I would not remove the file support though. It's good to have the options available.
Thanks everyone contributing to this.