Add secret management to op.#FetchGit
operation to fetch private repository
- Update `op.cue` to support secrets - Update `pipeline.go` to use authTokenSecret & authHeaderSecret Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu>
This commit is contained in:
parent
1c6d437d2a
commit
d7194f161d
@ -494,17 +494,11 @@ func (p *Pipeline) mount(ctx context.Context, dest string, mnt *compiler.Value)
|
|||||||
}
|
}
|
||||||
// eg. mount: "/foo": secret: mysecret
|
// eg. mount: "/foo": secret: mysecret
|
||||||
if secret := mnt.Lookup("secret"); secret.Exists() {
|
if secret := mnt.Lookup("secret"); secret.Exists() {
|
||||||
if !secret.HasAttr("secret") {
|
id, err := getSecretID(secret)
|
||||||
return nil, fmt.Errorf("invalid secret %q: not a secret", secret.Path().String())
|
|
||||||
}
|
|
||||||
idValue := secret.Lookup("id")
|
|
||||||
if !idValue.Exists() {
|
|
||||||
return nil, fmt.Errorf("invalid secret %q: no id field", secret.Path().String())
|
|
||||||
}
|
|
||||||
id, err := idValue.String()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("invalid secret id: %w", err)
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return llb.AddSecret(dest,
|
return llb.AddSecret(dest,
|
||||||
llb.SecretID(id),
|
llb.SecretID(id),
|
||||||
llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask)
|
llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask)
|
||||||
@ -779,6 +773,21 @@ func (p *Pipeline) PushContainer(ctx context.Context, op *compiler.Value, st llb
|
|||||||
return st, err
|
return st, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getSecretID(secretField *compiler.Value) (string, error) {
|
||||||
|
if !secretField.HasAttr("secret") {
|
||||||
|
return "", fmt.Errorf("invalid secret %q: not a secret", secretField.Path().String())
|
||||||
|
}
|
||||||
|
idValue := secretField.Lookup("id")
|
||||||
|
if !idValue.Exists() {
|
||||||
|
return "", fmt.Errorf("invalid secret %q: no id field", secretField.Path().String())
|
||||||
|
}
|
||||||
|
id, err := idValue.String()
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("invalid secret id: %w", err)
|
||||||
|
}
|
||||||
|
return id, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) {
|
func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) {
|
||||||
remote, err := op.Lookup("remote").String()
|
remote, err := op.Lookup("remote").String()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -796,8 +805,6 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat
|
|||||||
|
|
||||||
gitOpts := []llb.GitOption{}
|
gitOpts := []llb.GitOption{}
|
||||||
var opts struct {
|
var opts struct {
|
||||||
AuthTokenSecret string
|
|
||||||
AuthHeaderSecret string
|
|
||||||
KeepGitDir bool
|
KeepGitDir bool
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -808,11 +815,20 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat
|
|||||||
if opts.KeepGitDir {
|
if opts.KeepGitDir {
|
||||||
gitOpts = append(gitOpts, llb.KeepGitDir())
|
gitOpts = append(gitOpts, llb.KeepGitDir())
|
||||||
}
|
}
|
||||||
if opts.AuthTokenSecret != "" {
|
// Secret
|
||||||
gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthTokenSecret))
|
if authTokenSecret := op.Lookup("authTokenSecret"); authTokenSecret.Exists() {
|
||||||
|
id, err := getSecretID(authTokenSecret)
|
||||||
|
if err != nil {
|
||||||
|
return st, err
|
||||||
}
|
}
|
||||||
if opts.AuthHeaderSecret != "" {
|
gitOpts = append(gitOpts, llb.AuthTokenSecret(id))
|
||||||
gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthHeaderSecret))
|
}
|
||||||
|
if authHeaderSecret := op.Lookup("authHeaderSecret"); authHeaderSecret.Exists() {
|
||||||
|
id, err := getSecretID(authHeaderSecret)
|
||||||
|
if err != nil {
|
||||||
|
return st, err
|
||||||
|
}
|
||||||
|
gitOpts = append(gitOpts, llb.AuthHeaderSecret(id))
|
||||||
}
|
}
|
||||||
|
|
||||||
gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref)))
|
gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref)))
|
||||||
|
@ -87,8 +87,8 @@ package op
|
|||||||
ref: string
|
ref: string
|
||||||
keepGitDir?: bool
|
keepGitDir?: bool
|
||||||
// FIXME: the two options are currently ignored until we support buildkit secrets
|
// FIXME: the two options are currently ignored until we support buildkit secrets
|
||||||
authTokenSecret?: string | bytes
|
authTokenSecret?: _ @dagger(secret)
|
||||||
authHeaderSecret?: string | bytes
|
authHeaderSecret?: _ @dagger(secret)
|
||||||
}
|
}
|
||||||
|
|
||||||
#FetchHTTP: {
|
#FetchHTTP: {
|
||||||
|
Reference in New Issue
Block a user