Add secret management to op.#FetchGit operation to fetch private repository

- Update `op.cue` to support secrets
- Update `pipeline.go` to use authTokenSecret & authHeaderSecret

Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu>
This commit is contained in:
Tom Chauveau 2021-08-25 17:41:06 +02:00 committed by Guillaume de Rouville
parent 1c6d437d2a
commit d7194f161d
2 changed files with 34 additions and 18 deletions

View File

@ -494,17 +494,11 @@ func (p *Pipeline) mount(ctx context.Context, dest string, mnt *compiler.Value)
} }
// eg. mount: "/foo": secret: mysecret // eg. mount: "/foo": secret: mysecret
if secret := mnt.Lookup("secret"); secret.Exists() { if secret := mnt.Lookup("secret"); secret.Exists() {
if !secret.HasAttr("secret") { id, err := getSecretID(secret)
return nil, fmt.Errorf("invalid secret %q: not a secret", secret.Path().String())
}
idValue := secret.Lookup("id")
if !idValue.Exists() {
return nil, fmt.Errorf("invalid secret %q: no id field", secret.Path().String())
}
id, err := idValue.String()
if err != nil { if err != nil {
return nil, fmt.Errorf("invalid secret id: %w", err) return nil, err
} }
return llb.AddSecret(dest, return llb.AddSecret(dest,
llb.SecretID(id), llb.SecretID(id),
llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask) llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask)
@ -779,6 +773,21 @@ func (p *Pipeline) PushContainer(ctx context.Context, op *compiler.Value, st llb
return st, err return st, err
} }
func getSecretID(secretField *compiler.Value) (string, error) {
if !secretField.HasAttr("secret") {
return "", fmt.Errorf("invalid secret %q: not a secret", secretField.Path().String())
}
idValue := secretField.Lookup("id")
if !idValue.Exists() {
return "", fmt.Errorf("invalid secret %q: no id field", secretField.Path().String())
}
id, err := idValue.String()
if err != nil {
return "", fmt.Errorf("invalid secret id: %w", err)
}
return id, nil
}
func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) { func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) {
remote, err := op.Lookup("remote").String() remote, err := op.Lookup("remote").String()
if err != nil { if err != nil {
@ -796,8 +805,6 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat
gitOpts := []llb.GitOption{} gitOpts := []llb.GitOption{}
var opts struct { var opts struct {
AuthTokenSecret string
AuthHeaderSecret string
KeepGitDir bool KeepGitDir bool
} }
@ -808,11 +815,20 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat
if opts.KeepGitDir { if opts.KeepGitDir {
gitOpts = append(gitOpts, llb.KeepGitDir()) gitOpts = append(gitOpts, llb.KeepGitDir())
} }
if opts.AuthTokenSecret != "" { // Secret
gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthTokenSecret)) if authTokenSecret := op.Lookup("authTokenSecret"); authTokenSecret.Exists() {
id, err := getSecretID(authTokenSecret)
if err != nil {
return st, err
} }
if opts.AuthHeaderSecret != "" { gitOpts = append(gitOpts, llb.AuthTokenSecret(id))
gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthHeaderSecret)) }
if authHeaderSecret := op.Lookup("authHeaderSecret"); authHeaderSecret.Exists() {
id, err := getSecretID(authHeaderSecret)
if err != nil {
return st, err
}
gitOpts = append(gitOpts, llb.AuthHeaderSecret(id))
} }
gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref))) gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref)))

View File

@ -87,8 +87,8 @@ package op
ref: string ref: string
keepGitDir?: bool keepGitDir?: bool
// FIXME: the two options are currently ignored until we support buildkit secrets // FIXME: the two options are currently ignored until we support buildkit secrets
authTokenSecret?: string | bytes authTokenSecret?: _ @dagger(secret)
authHeaderSecret?: string | bytes authHeaderSecret?: _ @dagger(secret)
} }
#FetchHTTP: { #FetchHTTP: {