default host command / secrets | Dagger | Page 1

runic orchid Nov 18, 2024, 10:01 PM

#

👋 your guess was correct that this is not possible, for safety & portability reasons - we don't want a random module to be able to execute an arbitrary command on your host; and even if you trust the author of the module, it would make the whole module less portable

#

but, if we found a good way to "virtualize" the command - the way we virtualized directory access with +defaultPath="/foo/bar", then we would gladly do it

#

we would need a way to the command definition "contextual".

#

@visual yoke may I ask about your specific use case? Depending on that, there may be hope - since cmd: itself is a stopgap for lack of first-class support from Dagger.

#

for example cmd:"op read op://myvault/mytoken" would be unnecessary if dagger had first-class support for 1password... 😇 etc

nova quest Nov 18, 2024, 11:29 PM

#

s/1password/hashicorp-vault/ and I think you almost nailed @visual yoke use-case... 🙂

runic orchid Nov 18, 2024, 11:42 PM

#

nova quest `s/1password/hashicorp-vault/` and I think you almost nailed <@28232586366654875...

that too 🙂

#

cc @bronze lynx @quasi sphinx @solar vector that's our lunch discussion 🙂 👆

visual yoke Nov 25, 2024, 6:11 PM

#

@nova quest pretty much nailed my use case.
I don't want to add the burden of folks having to remember to add either a cmd: that fetches creds or an env variable (that they may need to refresh too).
My stopgap is a Makefile task, but I hate Makefile tasks like this as it means every repo that uses the module(s) will need the same ... AND the cmd.

#

and as things evolve over time any changes need to propagate outwards.

#

atm I have a command that gets a vault token, stores it in a file and also refreshes it if necessary (they expire fairly quickly in our setup ).

runic orchid Nov 25, 2024, 6:16 PM

#

@visual yoke duly noted and yeah, you're not alone. We're going to solve that

#

If you want a glimpse of the future, here's a POC: https://github.com/dagger/dagger/pull/8730

GitHub

WIP: Secret Providers POC by aluzzardi · Pull Request #8730 · dagge...

Change how secrets are managed so they are requested just in time by
the Engine from the CLI whenever they're needed, rather than stored in plaintext from the get go.
New (still ugly) MapSe...

#

including @vapid violet and @limber silo who are focusing on the secrets use case specifically

#

default host command / secrets

#

Quick script to try a local build of the POC (requires some hacking to get the 1password CLI installed in the dev container)

#!/usr/bin/env dagger shell -q -m github.com/aluzzardi/dagger@secret-providers-poc

# op is only available as amd64 package on alpine
platform=linux/amd64

.container --platform=$platform |
from alpine |
with-exec sh,-c,"echo https://downloads.1password.com/linux/alpinelinux/stable/ >> /etc/apk/repositories" |
with-file \
    /etc/apk/keys/support@1password.com-61ddfc31.rsa.pub \
    $(.http https://downloads.1password.com/linux/keys/alpinelinux/support@1password.com-61ddfc31.rsa.pub) |
with-exec apk,update |
with-exec apk,add,1password-cli |
with-file /bin/dagger $(cli | binary --platform=$platform) |
with-service-binding dagger-engine $(engine | service dev) |
with-env-variable _EXPERIMENTAL_DAGGER_RUNNER_HOST $(engine | service dev | endpoint --scheme=tcp) |
terminal

#default host command / secrets