Are environment variables expanded within WithExec() commands (could be an apko issue)? | Dagger | Page 1

idle gust Apr 3, 2024, 1:22 PM

#

I have failed to get my apko Dagger module to successfully publish to ghcr.io. I have created a PAT token for experimenting, and I can successfully log into ghcr.io and publish using apko directly.

However, I always get an authentication failure when I run this within my Dagger module.

Code snippet:

ctr := dag.Container().From("cgr.dev/chainguard/apko")

if registry != "" && username != "" && password != nil {
    ctr = ctr.WithSecretVariable("REGISTRY_TOKEN", password).
        WithExec([]string{"login", registry, "-u", username, "-p", "$REGISTRY_TOKEN"})
    }

return ctr.
    WithWorkdir("apko").
    WithFile("apko.yaml", a.Cfg).
    WithExec(cmd).
    Stdout(ctx)

ℹ️            | publishing index tag ghcr.io/purpleclay/dagger-cli:0.10.3
Error: publishing image index: failed to publish: PUT https://ghcr.io/v2/purpleclay/dagger-cli/manifests/0.10.3: UNAUTHORIZED: unauthenticated: User cannot be authenticated with the token provided.

I currently pass in the registry details as parameters, with the password being a secret:

dagger call -m github.com/purpleclay/daggerverse/apko@v0.3.0 load --cfg apko.yaml publish --ref "ghcr.io/purpleclay/dagger-cli:0.10.3" --registry ghcr.io --username purpleclay --password env:GHCR_TOKEN

The issue appears with the WithExec command not picking up the environment variable. It feels like it is using the string $REGISTRY_TOKEN as a Raw value. Should I be wrapping this up as a script?

#

I tried using WithRegistryAuth but that makes no difference with apko.

fossil plinth Apr 3, 2024, 1:25 PM

#

If you want to have expansion, you need to use sh

#

something like []string{"sh", "-c", "command goes here"}

#

but also, you should avoid having secrets used like that - ideally they should just be passed as env vars

#

see https://smallstep.com/blog/command-line-secrets/#directly-in-the-command

Smallstep

How to Handle Secrets on the Command Line

How to keep secret credentials safe on the command line.

idle gust Apr 3, 2024, 2:03 PM

#

fossil plinth see https://smallstep.com/blog/command-line-secrets/#directly-in-the-command

Good article btw ... thanks

#

I'll try a few things. I am leaning towards injecting the secret as a file and then piping it into STDIN. Looking at the apko login command, it has the following flag --password-stdin

idle gust Apr 3, 2024, 7:01 PM

#

In the end, I got it to work like this:

ctr = ctr.WithEnvVariable("REGISTRY", registry).
  WithEnvVariable("REGISTRY_USER", username).
  WithSecretVariable("REGISTRY_PASSWORD", password).
  WithExec([]string{"sh", "-c", "apko login $REGISTRY -u $REGISTRY_USER -p $REGISTRY_PASSWORD"})

#

Thanks for the advice @fossil plinth

rocky warren Apr 3, 2024, 9:23 PM

#

@idle gust are you developing your own apko module from scratch, or starting from an existing one?

#

I've used this one for one of my own modules: https://daggerverse.dev/mod/github.com/vito/daggerverse/apko@2426612a29e6308bbab8bfef7c966b2a84683a38

apko :: Daggerverse

Builds containers from simple lists of packages using the Apko CLI.

#Are environment variables expanded within WithExec() commands (could be an apko issue)?