buildkit secrets support

- Secrets are never exposed in plaintext in the Cue tree. `dagger query` won't dump secrets anymore, Cue errors won't contain them either. - BuildKit-native secrets support through a new `mount` type. This ensures secrets will never be part of containerd layers, buildkit cache and generally speaking will never be saved to disk in plaintext. - Updated netlify as an example - Added tests - Changed the Cue definition of a secret to: ``` @dagger(secret) id: string } ``` This is to ensure both that setting the wrong input type on a secret (e.g. `dagger input text`) will fail, and attempting to misuse the secret (e.g. interpolating, passing as an env variable, etc) will also fail properly. Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2021-05-25 18:56:16 -07:00
parent 15f4c4877d
commit 9c0e2d1d95
15 changed files with 244 additions and 59 deletions
--- a/stdlib/dagger/dagger.cue
+++ b/stdlib/dagger/dagger.cue
@@ -15,9 +15,8 @@ import (
 }

 // Secret value
-// FIXME: currently aliased as a string to mark secrets
-// this requires proper support.
 #Secret: {
 	@dagger(secret)
-	string | bytes
+
+	id: string
 }
--- a/stdlib/dagger/op/op.cue
+++ b/stdlib/dagger/op/op.cue
@@ -57,7 +57,7 @@ package op
 	// `true` means also ignoring the mount cache volumes
 	always?: true | *false
 	dir:     string | *"/"
-	mount: [string]: "tmpfs" | "cache" | {from: _, path: string | *"/"}
+	mount: [string]: "tmpfs" | "cache" | {from: _, path: string | *"/"} | {secret: _}
 	// Map of hostnames to ip
 	hosts?: [string]: string
 	// User to exec with (if left empty, will default to the set user in the image)
--- a/stdlib/netlify/netlify.cue
+++ b/stdlib/netlify/netlify.cue
@@ -80,10 +80,10 @@ import (
 			if customDomain != _|_ {
 				NETLIFY_DOMAIN: customDomain
 			}
-			NETLIFY_ACCOUNT:    account.name
-			NETLIFY_AUTH_TOKEN: account.token
+			NETLIFY_ACCOUNT: account.name
 		}
 		dir: "/src"
-		mount: "/src": from: contents
+		mount: "/src": from:     contents
+		mount: "/token": secret: account.token
 	}
 }
--- a/stdlib/netlify/netlify.sh.cue
+++ b/stdlib/netlify/netlify.sh.cue
@@ -1,6 +1,8 @@
 package netlify

 #Site: ctr: command: #"""
+	export NETLIFY_AUTH_TOKEN="$(cat /token)"
+
 	create_site() {
 	    url="https://api.netlify.com/api/v1/${NETLIFY_ACCOUNT:-}/sites"

--- a/stdlib/os/container.cue
+++ b/stdlib/os/container.cue
@@ -52,6 +52,8 @@ import (
 	mount: [string]: {
 		from: dagger.#Artifact
 		// FIXME: support source path
+	} | {
+		secret: dagger.#Secret
 	}

 	// Mount persistent cache directories
@@ -94,10 +96,9 @@ import (
 		// Execute setup commands, without volumes
 		for cmd in setup {
 			op.#Exec & {
-				args:     [shell.path] + shell.args + [cmd]
-				"env":    env
-				"dir":    dir
-				"always": always
+				args:  [shell.path] + shell.args + [cmd]
+				"env": env
+				"dir": dir
 			}
 		},
 		// Execute main command with volumes
@@ -109,7 +110,7 @@ import (
 				"always": always
 				"mount": {
 					for dest, o in mount {
-						"\(dest)": from: o.from
+						"\(dest)": o
 						// FIXME: support source path
 					}
 					for dest in cache {