Add secret management to op.#FetchGit operation to fetch private repository

- Update `op.cue` to support secrets - Update `pipeline.go` to use authTokenSecret & authHeaderSecret Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu>
2021-08-25 17:41:06 +02:00 · 2021-08-25 17:41:06 +02:00 · d7194f161d
commit d7194f161d
parent 1c6d437d2a
2 changed files with 34 additions and 18 deletions
--- a/environment/pipeline.go
+++ b/environment/pipeline.go
@ -494,17 +494,11 @@ func (p *Pipeline) mount(ctx context.Context, dest string, mnt *compiler.Value)
 	}
 	// eg. mount: "/foo": secret: mysecret
 	if secret := mnt.Lookup("secret"); secret.Exists() {
-		if !secret.HasAttr("secret") {
-			return nil, fmt.Errorf("invalid secret %q: not a secret", secret.Path().String())
-		}
-		idValue := secret.Lookup("id")
-		if !idValue.Exists() {
-			return nil, fmt.Errorf("invalid secret %q: no id field", secret.Path().String())
-		}
-		id, err := idValue.String()
+		id, err := getSecretID(secret)
 		if err != nil {
-			return nil, fmt.Errorf("invalid secret id: %w", err)
+			return nil, err
 		}
+
 		return llb.AddSecret(dest,
 			llb.SecretID(id),
 			llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask)
@ -779,6 +773,21 @@ func (p *Pipeline) PushContainer(ctx context.Context, op *compiler.Value, st llb
 	return st, err
 }

+func getSecretID(secretField *compiler.Value) (string, error) {
+	if !secretField.HasAttr("secret") {
+		return "", fmt.Errorf("invalid secret %q: not a secret", secretField.Path().String())
+	}
+	idValue := secretField.Lookup("id")
+	if !idValue.Exists() {
+		return "", fmt.Errorf("invalid secret %q: no id field", secretField.Path().String())
+	}
+	id, err := idValue.String()
+	if err != nil {
+		return "", fmt.Errorf("invalid secret id: %w", err)
+	}
+	return id, nil
+}
+
 func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.State) (llb.State, error) {
 	remote, err := op.Lookup("remote").String()
 	if err != nil {
@ -796,8 +805,6 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat

 	gitOpts := []llb.GitOption{}
 	var opts struct {
-		AuthTokenSecret  string
-		AuthHeaderSecret string
 		KeepGitDir bool
 	}

@ -808,11 +815,20 @@ func (p *Pipeline) FetchGit(ctx context.Context, op *compiler.Value, st llb.Stat
 	if opts.KeepGitDir {
 		gitOpts = append(gitOpts, llb.KeepGitDir())
 	}
-	if opts.AuthTokenSecret != "" {
-		gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthTokenSecret))
+	// Secret
+	if authTokenSecret := op.Lookup("authTokenSecret"); authTokenSecret.Exists() {
+		id, err := getSecretID(authTokenSecret)
+		if err != nil {
+			return st, err
 		}
-	if opts.AuthHeaderSecret != "" {
-		gitOpts = append(gitOpts, llb.AuthTokenSecret(opts.AuthHeaderSecret))
+		gitOpts = append(gitOpts, llb.AuthTokenSecret(id))
+	}
+	if authHeaderSecret := op.Lookup("authHeaderSecret"); authHeaderSecret.Exists() {
+		id, err := getSecretID(authHeaderSecret)
+		if err != nil {
+			return st, err
+		}
+		gitOpts = append(gitOpts, llb.AuthHeaderSecret(id))
 	}

 	gitOpts = append(gitOpts, llb.WithCustomName(p.vertexNamef("FetchGit %s@%s", remoteRedacted, ref)))
--- a/stdlib/dagger/op/op.cue
+++ b/stdlib/dagger/op/op.cue
@ -87,8 +87,8 @@ package op
 	ref:         string
 	keepGitDir?: bool
 	// FIXME: the two options are currently ignored until we support buildkit secrets
-	authTokenSecret?:  string | bytes
-	authHeaderSecret?: string | bytes
+	authTokenSecret?:  _ @dagger(secret)
+	authHeaderSecret?: _ @dagger(secret)
 }

 #FetchHTTP: {