Add SecretStdin to Container.WithExec options

Question

Add SecretStdin to Container.WithExec options

sagikazarmark opened this issue 5 months ago · comments

What are you trying to do?

Pass a Secret to a commands stdin (without having to resolve it first):

secret := dag.SetSecret()

ctr.WithExec(
    []string{"helm", "login", "--username", "foo", "--password-stdin"},
    ContainerWithExecOpts{SecretStdin: secret},
)

Why is this important to you?

Passing secrets to commands in plaintext isn't particularly safe. Although the documentation says that logs are scrubbed from secrets, who knows...

How are you currently working around this?

I'm passing the secret to the command as plaintext 🙈

Nipuna Perera · Answer 1 · Wed May 01 2024 21:39:45 GMT+0800 (China Standard Time)

I typically trust ENV vars for secrets. This is how I use them

secret := dag.SetSecret()

ctr.
WithSecretVariable("mysupersecret", secret).
WithExec(
    []string{"sh", "-c", "helm login --username foo --password $mysupersecret"}
)

You can also clean up the env var after the withExec if you don't care to keep it there beyond the exec. These are well masked in the logs in my experience.

Fix for docs here - #7232

Márk Sági-Kazár · Answer 2 · Wed May 01 2024 21:44:55 GMT+0800 (China Standard Time)

This is why I don't like private conversations, but it's my fault this time. 😄

That's what I ended up doing here: https://github.com/sagikazarmark/daggerverse/pull/78/files#diff-beaf12926edc465430f49c65836319776edbc52ad35bb38065b8df5bdf2bf301R138-R162