kjuulh/dagger
Archived
1
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

buildkit secrets support

Browse Source 
- Secrets are never exposed in plaintext in the Cue tree. `dagger query`
  won't dump secrets anymore, Cue errors won't contain them either.
- BuildKit-native secrets support through a new `mount` type. This
  ensures secrets will never be part of containerd layers, buildkit
  cache and generally speaking will never be saved to disk in plaintext.
- Updated netlify as an example
- Added tests
- Changed the Cue definition of a secret to:

```
	@dagger(secret)

	id: string
}
```

This is to ensure both that setting the wrong input type on a secret
(e.g. `dagger input text`) will fail, and attempting to misuse the
secret (e.g. interpolating, passing as an env variable, etc) will also
fail properly.

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This commit is contained in:
Andrea Luzzardi
2021-05-25 18:56:16 -07:00
parent 15f4c4877d
commit 9c0e2d1d95
15 changed files with 244 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
tests/compute.bats
View File

@@ -67,6 +67,33 @@ setup() {
assert_line '{"in":"foobar","test":"received: foobar"}'
}
@test "compute: secrets" {
# secrets used as environment variables must fail
run "$DAGGER" compute "$TESTDIR"/compute/secrets/invalid/env
assert_failure
assert_line --partial "conflicting values"
# strings passed as secrets must fail
run "$DAGGER" compute "$TESTDIR"/compute/secrets/invalid/string
assert_failure
# Setting a text input for a secret value should fail
run "$DAGGER" compute --input-string 'mySecret=SecretValue' "$TESTDIR"/compute/secrets/simple
assert_failure
# Now test with an actual secret and make sure it works
"$DAGGER" init
dagger_new_with_plan secrets "$TESTDIR"/compute/secrets/simple
"$DAGGER" input secret mySecret SecretValue
run "$DAGGER" up
assert_success
# Make sure the secret doesn't show in dagger query
run "$DAGGER" query mySecret.id -f text
assert_success
assert_output "secret=mySecret"
}
@test ".daggerignore" {
"$DAGGER" compute --input-dir TestData="$TESTDIR"/compute/ignore/testdata "$TESTDIR"/compute/ignore
}