#Missing default value support for Secrets and Sockets

Should I file it on github ?

Hi @stuck wasp , we just shipped support for user-defined defaults via .env to solve this problem. Let me find a link for you

tldr any argument that you can pass via a CLI flag, you can also set as a .env variable

for example:

dagger call -m mymodule deploy --docker-socket=/var/run/docker.sock --aws-config=~/.aws/foo

mymodule_deploy_dockerSocket=/var/run/docker.sock
mymodule_deploy_aws_config=~/.aws/foo

it's still an extra hop that a user need todo, and isn't encapsulated within the function... and I have a big list of them

Encapsulating it would break the sandbox. You don't want a third party module to have unrestricted access to your host directory or credentials. That is the tradeoff we built from.

We started from reliable sandboxing, and are gradually layering convenience on top

In CI usually it's a non-issue because you only set uup your environment once.

For local dev, it does add friction to onboarding each dev. We'd like to make it easy to centralize distribution of local config, if you don't already have your own way of doing that (many platform teams do, and prefer to use their own)

Lastly: those .env files won't contain secret plaintext, only references. So it's an option to check them into git, in case it makes distributing them easier.

I understand the security concern here, but how mounting secret or regular mount from host that can have default are different ?

default directory path is rooted in the contextual git repo. you cannot escape the repo

Here's an example from our own repo: https://github.com/dagger/dagger/blob/main/toolchains/docs-dev/main.go

(sorry it's in Go, but translates pretty directly)

I'll try using the .env for all of the defaults, see if it's making it a better experience, I'll maybe have a nice AWS cred of all kinds example in the end to share

agreed, we need more up-to-date examples

btw for secrets you can reference env variables but also terraform vault & 1password directly

I understand that, but when doing things like OKTA integration of all sort, it's a bit more complicate and most flows works with temporary creds on disk

my job is to make my developers happy, they already hate me a lot 🙂

cmd:// might help in your case, it references a command to execute on the host, and uses stdout as the secret value (typical example: aws-vault)

that's actually an interesting idea, in some cases I've embedded the okta python code into the test code to make it happen (and just mounted the configuration from the host)

so the host didn't need any tools installed