#Howto debug Publish() -- "invoke: input

Can you please share your full code for the function and the full comand you're using to call it?

Yes

https://gist.github.com/jochumdev/3c021adcffec8a866a7e2970ecb67990

This is great, and how are you calling it?

Thanks:

dagger call publish --source=. --reg-user="robot$project+drone" --reg-token="secret"

It's a private repo so i have to hide all "private" stuff 🙂

Yeah for sure

One thing to note it looks like youre using string for regToken but you should be using dagger.Secret to make sure you dont accidentally leak your token

The goal is to self host CI+CD 🙂

With k3s+rancher,gitea,harbor,argocd,drone

There's a secret:

pubCt = pubCt.WithRegistryAuth(reg, regUser, dagger.Connect().SetSecret("registry-token", regToken))```

Its strange that the sha is 2332, is that just some dummy value or is the sha not being calculated correctly here?

registry.example.com/project/container:2332

sha, err := m.GitRev(ctx, source) if err != nil { return "", err }

Yes, but regToken should also be a type Secret

This way you dont need to SetSecret and the token will not be stored in the cache or anything like that

dummy value 🙂

Right now you're unintentionally leaking the secret when you call this function

ahh regToken the value, hmm I don't have "defaultSecret:" yet?

argument

But that is not the core issue, it seems the core issue is that your docker registry url is not correct it should be

my.registry.address:port/repositoryname:tag

where :port and :tag are optional

I think the /project is causing an issue

If your intent is to publish this to a private registry there is no way to have a default secret, so it must be passed in, I would not recommend hard coding a default token as a string because this leaks your credential which is not a recommended practice

I would use the value like this:

func (m *Backend) Publish(
    ctx context.Context,
    source *dagger.Directory,
    // Registry to use.
    // +default="registry.example.com"
    reg string,
    // +default="registry.example.com/project/backend"
    regImage string,
    // Registry API User
    // +default=""
    regUser string,
    // Registry API Token
    regToken dagger.Secret,
) (string, error) {

then

        pubCt = pubCt.WithRegistryAuth(reg, regUser, regToken)

lastly store the token as an env var and pass it like this

dagger call publish --source=. --reg-user="robot$project+drone" --reg-token=env:REGISTRY_TOKEN

here's some more info on secrets: https://docs.dagger.io/manuals/developer/secrets/

--

The way you are doing it works but your token is going to be sprinkled throughout the logs in plain text and be stored in the cache. This is not a recommended security practice.

ok, will change that

That's why I want a +defaultSecret="" 🙂

Yeah, that would be a great improvement but it doesn't exist yet.

I am curious how would you imagine adding this value in?

then i can reg=registry.docker.io, reg-image=registry.docker.io/project/backend and those auth stuff default

with --reg-token=env:REGISTRY_TOKEN

there's a +defaultPath="" i wan't defaultSecret like defaultPath 🙂

So the default would look in the environment, that makes sense, its important to note that right now dagger modules are designed to be secured in a sandbox that knows nothing about the host environment

things need to be passed in explicitly. We're working on opening up that sandbox where it makes sense, but its not so simple to find the right balance between convenience and security

Do you mean how i add them to my stack? Via drone secret?

No, I mean if defaultSecret existed, what would you put in as the default value?

ohh empty 🙂

Now that we have seen, no need for taht...... 🙂

Oh sorry I might be confused, what is the purpose of an empty default in your mind?

<-- dumpass 🙂

No way haha

having a *dagger.Secret as regToken requires now to put that secret as env, for cli usage there's no requirement to write env:SOME_ENV

else it gives env var "s3c5e$" not found

That works: docker push registry.example.com/project/backend:latest

Yes, but this is the most secure way to do this. Its creates a bit of friction but keeps your secret safe.

If someone does not have access tot his registry then they should not be able to push to it right?

yes

my harbor is private, that project is private.

Yeah you're right, it works for me too - something else must be wrong then :/

I believe I have something wrong with the token

Sadly not the password

Thanks @tepid cosmos I had 2 mistakes:

1.) GetEnv() function was returning an additional "\n" that got into the image string.
2.) My username had a "$" which wasn't shell escaped.

Fixed. Thanks 🙂

I'll publish the whole Pipeline once done with a little explanation on howto selfhost CI+CD with Dagger and other open source software.

That is awesome! cc @thin echo

You're on a roll @icy salmon ! I just got back from PTO, but meant to reach out to see if we can have you demo your examples at our community call. I'll DM you 🙂 https://discord.com/channels/707636530424053791/1281267647367090268