buildkit secrets support
- Secrets are never exposed in plaintext in the Cue tree. `dagger query` won't dump secrets anymore, Cue errors won't contain them either. - BuildKit-native secrets support through a new `mount` type. This ensures secrets will never be part of containerd layers, buildkit cache and generally speaking will never be saved to disk in plaintext. - Updated netlify as an example - Added tests - Changed the Cue definition of a secret to: ``` @dagger(secret) id: string } ``` This is to ensure both that setting the wrong input type on a secret (e.g. `dagger input text`) will fail, and attempting to misuse the secret (e.g. interpolating, passing as an env variable, etc) will also fail properly. Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This commit is contained in:
@@ -57,7 +57,7 @@ package op
|
||||
// `true` means also ignoring the mount cache volumes
|
||||
always?: true | *false
|
||||
dir: string | *"/"
|
||||
mount: [string]: "tmpfs" | "cache" | {from: _, path: string | *"/"}
|
||||
mount: [string]: "tmpfs" | "cache" | {from: _, path: string | *"/"} | {secret: _}
|
||||
// Map of hostnames to ip
|
||||
hosts?: [string]: string
|
||||
// User to exec with (if left empty, will default to the set user in the image)
|
||||
|
Reference in New Issue
Block a user