New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Make secret name optional #7358
Comments
FYI @jedevc @vito @helderco @aluzzardi I think we may need to revisit the design decisions that led to this point. Since then, we launched functions, modules, and didn't revisit the initial plan of adding "secrets providers". Is the current design still relevant? Do we still need the secret name? |
One use case we have today is when adding secrets to a docker build. The secret name will be turned into the secret's
One problem today is that if you're passing a secret via the CLI, the secret name is an hash. So you currently need to work around that by either creating a new secret inside your function, with the plaintext of the Build arg examplefunc (m *DockerfileSecrets) Build(ctx context.Context, buildContext *Directory, secretFile *Secret) (*Container, error) {
secretName, err := secretFile.Name(ctx)
if err != nil {
return nil, err
}
return buildContext.
DockerBuild(dagger.DirectoryDockerBuildOpts{
BuildArgs: []BuildArg{
{Name: "SECRET_ID", Value: secretName},
},
Secrets: []*Secret{secretFile},
}), nil
} In the docker build, you pass the secrets as Suggestion: add a
|
Forgot that we have a \cc @jedevc |
Honestly, I'm not opposed to removing |
2 questions:
|
How would it work in a docker build as explained in #7358 (comment) ? Could be an input type like + input SecretArg {
+ name: String!
+ value: SecretID!
+ }
type Container {
build(
context: DirectoryID!
dockerfile: String = "Dockerfile"
buildArgs: [BuildArg!] = []
- secrets: [SecretID!] = []
+ secrets: [SecretArg!] = []
target: String = ""
): Container!
} This way I'd agree with removing the name as I can't think of anything else where a name is needed. |
I'm struggling to find a need for it when a normal module seems to do the trick. |
@helderco yeah agreed on your idea for solving docker build. If the only reason for keeping a name is docker build... Better to solve the problem for docker build, and remove the secret name. How does the docker CLI do it? Is it actually a build arg, or a distinct concept of build secret? |
It's a different concept based on the official doc
Which has a unique identifier ( |
What are you trying to do?
I have a function that creates a secret: https://daggerverse.dev/mod/github.com/sagikazarmark/daggerverse/registry-config@b45dbd7448bb967aca4a538af9ce7f042abf0316#RegistryConfig.secret
The current secret API takes a name at the moment:
dag.SetSecret("name", "value")
.I'm not sure, but my guess is that name is supposed to be unique (ie. to make sure there is no interference between calls to the same function).
Why is this important to you?
Right now I'm working around the issue mentioned above by exposing an optional secret name argument in the API. I'd rather not do that.
How are you currently working around this?
I'm planning to generate a secret name based on the content: sagikazarmark/daggerverse#104
That will make sure it's unique enough and won't require me to expose options in the API for the secret name.
The text was updated successfully, but these errors were encountered: