From d7194f161d9207366e8cd6b92532f60a91ae816a Mon Sep 17 00:00:00 2001 From: Tom Chauveau Date: Wed, 25 Aug 2021 17:41:06 +0200 Subject: [PATCH] Add secret management to `op.#FetchGit` operation to fetch private repository - Update `op.cue` to support secrets - Update `pipeline.go` to use authTokenSecret & authHeaderSecret Signed-off-by: Tom Chauveau --- environment/pipeline.go | 48 +++++++++++++++++++++++++++-------------- stdlib/dagger/op/op.cue | 4 ++-- 2 files changed, 34 insertions(+), 18 deletions(-) diff --git a/environment/pipeline.go b/environment/pipeline.go index ceea712f..ff947a0b 100644 --- a/environment/pipeline.go +++ b/environment/pipeline.go @@ -494,17 +494,11 @@ func (p *Pipeline) mount(ctx context.Context, dest string, mnt *compiler.Value) } // eg. mount: "/foo": secret: mysecret if secret := mnt.Lookup("secret"); secret.Exists() { - if !secret.HasAttr("secret") { - return nil, fmt.Errorf("invalid secret %q: not a secret", secret.Path().String()) - } - idValue := secret.Lookup("id") - if !idValue.Exists() { - return nil, fmt.Errorf("invalid secret %q: no id field", secret.Path().String()) - } - id, err := idValue.String() + id, err := getSecretID(secret) if err != nil { - return nil, fmt.Errorf("invalid secret id: %w", err) + return nil, err } + return llb.AddSecret(dest, llb.SecretID(id), llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask) @@ -779,6 +773,21 @@ func (p *Pipeline) PushContainer(ctx context.Context, op *compiler.Value, st llb return st, err } +func getSecretID(secretField *compiler.Value) (string, error) { + if !secretField.HasAttr("secret") { + return "", fmt.Errorf("invalid secret %q: not a secret", secretField.Path().String()) + } + idValue := secretField.Lookup("id") + if !idValue.Exists() { + return "", fmt.Errorf("invalid secret %q: no id field", secretField.Path().String()) + } + id, err := idValue.String() + if err != nil { + return "", fmt.Errorf("invalid secret id: %w", err) + } + return id, nil +} + func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) { remote, err := op.Lookup("remote").String() if err != nil { @@ -796,9 +805,7 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat gitOpts := []llb.GitOption{} var opts struct { - AuthTokenSecret string - AuthHeaderSecret string - KeepGitDir bool + KeepGitDir bool } if err := op.Decode(&opts); err != nil { @@ -808,11 +815,20 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat if opts.KeepGitDir { gitOpts = append(gitOpts, llb.KeepGitDir()) } - if opts.AuthTokenSecret != "" { - gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthTokenSecret)) + // Secret + if authTokenSecret := op.Lookup("authTokenSecret"); authTokenSecret.Exists() { + id, err := getSecretID(authTokenSecret) + if err != nil { + return st, err + } + gitOpts = append(gitOpts, llb.AuthTokenSecret(id)) } - if opts.AuthHeaderSecret != "" { - gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthHeaderSecret)) + if authHeaderSecret := op.Lookup("authHeaderSecret"); authHeaderSecret.Exists() { + id, err := getSecretID(authHeaderSecret) + if err != nil { + return st, err + } + gitOpts = append(gitOpts, llb.AuthHeaderSecret(id)) } gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref))) diff --git a/stdlib/dagger/op/op.cue b/stdlib/dagger/op/op.cue index 44c2f7dd..3ca37b04 100644 --- a/stdlib/dagger/op/op.cue +++ b/stdlib/dagger/op/op.cue @@ -87,8 +87,8 @@ package op ref: string keepGitDir?: bool // FIXME: the two options are currently ignored until we support buildkit secrets - authTokenSecret?: string | bytes - authHeaderSecret?: string | bytes + authTokenSecret?: _ @dagger(secret) + authHeaderSecret?: _ @dagger(secret) } #FetchHTTP: {