buildkit secrets support

- Secrets are never exposed in plaintext in the Cue tree. `dagger query` won't dump secrets anymore, Cue errors won't contain them either. - BuildKit-native secrets support through a new `mount` type. This ensures secrets will never be part of containerd layers, buildkit cache and generally speaking will never be saved to disk in plaintext. - Updated netlify as an example - Added tests - Changed the Cue definition of a secret to: ``` @dagger(secret) id: string } ``` This is to ensure both that setting the wrong input type on a secret (e.g. `dagger input text`) will fail, and attempting to misuse the secret (e.g. interpolating, passing as an env variable, etc) will also fail properly. Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2021-05-25 18:56:16 -07:00
parent 15f4c4877d
commit 9c0e2d1d95
15 changed files with 244 additions and 59 deletions
--- a/stdlib/os/container.cue
+++ b/stdlib/os/container.cue
@@ -52,6 +52,8 @@ import (
 	mount: [string]: {
 		from: dagger.#Artifact
 		// FIXME: support source path
+	} | {
+		secret: dagger.#Secret
 	}

 	// Mount persistent cache directories
@@ -94,10 +96,9 @@ import (
 		// Execute setup commands, without volumes
 		for cmd in setup {
 			op.#Exec & {
-				args:     [shell.path] + shell.args + [cmd]
-				"env":    env
-				"dir":    dir
-				"always": always
+				args:  [shell.path] + shell.args + [cmd]
+				"env": env
+				"dir": dir
 			}
 		},
 		// Execute main command with volumes
@@ -109,7 +110,7 @@ import (
 				"always": always
 				"mount": {
 					for dest, o in mount {
-						"\(dest)": from: o.from
+						"\(dest)": o
 						// FIXME: support source path
 					}
 					for dest in cache {