I have tried to follow the SOPS part of the dagger-cue documentation.
Currently, I'm trying to use a value decoded from a secret in a place where it is not supposed to go a secret i.e. a username field. I can't find a way of doing this.
#I am trying to use a secret value as input that does not need the secret.
errant sinew
twilit crystal
Hi @errant sinew,
I am surprised that the SOPS part has been translated to Dagger v0.3: https://github.com/dagger/dagger/issues/3442
What you want is a way to transform a secret, at runtime, into a text field (which would be secure ?). Could you please be more specific, which API do you want to use ?
The way I usually retrieve the value of a secret is by relying on env variable (inside a container): FOO=$(cat /path/to/secret/in/file)
errant sinew
Hi, @twilit crystal
I'm trying to generate some cue object that will become a write file at some point or a mount to be used as a configuration file for some commands in the pipeline.
The thing is that I have defined the schema and some non-secret values in cue, but AWS secrets and some other things are in a SOPS encrypted file. So I want to merge the secret values and with the values defined in the cue.
twilit crystal
Do you have a small repro ? It is totally doable. But, do you want to export the secret back ?
Secrets are a special type on dagger-cue, as they never appear inside the cue DAG per-se (to make sure that it never leaks inside any cache). Also, they have the property to never leak on stdout (it's a buildkit feature).
In general, to do what you want to do, I mount the secret in a container, do the concatenation there, as it is safe. However, manipulating the secret and creating a new file might make it unsafe. It really depends on your use case 😇
twilit crystal
I have tried to follow the SOPS part of the dagger-cue documentation.
Currently,...
Ok, so what you are trying to do is documented here: https://docs.dagger.io/sdk/cue/233781/secrets/#sops
By exporting a secret back as a yaml, it becomes accessible back in the dag
Which means that it should normally be accessible as a string, when you reference back the key. You might have to do (secrets.output.myToken.contents), to force the cast as a string (not in above example)
errant sinew
I'll try and see...
twilit crystal
My bad, it doesn't work: https://github.com/dagger/dagger/blob/v0.2.19/pkg/dagger.io/dagger/core/secrets.cue#L7-L19
As it retrieves a secret too 🤣 Do you mind if I reply tomorrow ? It's getting late here. I'll prepare a small repro
errant sinew
I've kind of followed the steps in the docs above.
And the first place I ran into an issue with this, was to provide the auth to docker.#Pull
The username field does not work and the but the secert field do.
auth?: {
username: string
secret: dagger.#Secret
}
And they comes from
registry:
registry_name:
username: theUser naem
password: theUser password