Add SecretStdin to Container.WithExec options
sagikazarmark opened this issue · comments
What are you trying to do?
Pass a Secret
to a commands stdin (without having to resolve it first):
secret := dag.SetSecret()
ctr.WithExec(
[]string{"helm", "login", "--username", "foo", "--password-stdin"},
ContainerWithExecOpts{SecretStdin: secret},
)
Why is this important to you?
Passing secrets to commands in plaintext isn't particularly safe. Although the documentation says that logs are scrubbed from secrets, who knows...
How are you currently working around this?
I'm passing the secret to the command as plaintext 🙈
I typically trust ENV vars for secrets. This is how I use them
secret := dag.SetSecret()
ctr.
WithSecretVariable("mysupersecret", secret).
WithExec(
[]string{"sh", "-c", "helm login --username foo --password $mysupersecret"}
)
You can also clean up the env var after the withExec
if you don't care to keep it there beyond the exec. These are well masked in the logs in my experience.
Fix for docs here - #7232
This is why I don't like private conversations, but it's my fault this time. 😄
That's what I ended up doing here: https://github.com/sagikazarmark/daggerverse/pull/78/files#diff-beaf12926edc465430f49c65836319776edbc52ad35bb38065b8df5bdf2bf301R138-R162