New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL cannot read SSH keys mounted as secrets #7220
Comments
When passing a *Secret type file like To reproduce compare mounted file contents from @sagikazarmark's reproduce module. |
Lines 362 to 367 in 030ffc1
This looks like a failure introduced by #6845. cc @kpenfound @sipsma @vito |
👋 from discord
here's the Z unicode category for the reference: thoughts? @kpenfound @jedevc @aweris ? |
Here is an ugly workaround then until it's fixed: return dag.
Wolfi().
Container(WolfiContainerOpts{
Packages: []string{"git", "openssh"},
}).
WithMountedSecret("/ssh-key", sshKey).
WithExec([]string{"cp", "/ssh-key", "/ssh-key2"}).
WithExec([]string{"sh", "-c", "echo '' >> /ssh-key2"}).
WithExec([]string{"ssh-keygen", "-y", "-f", "/ssh-key2"}) |
Actually, this is a terrible idea: this would result in the ssh key being cached. |
The current implementation trims spaces upon reading the file (ie. |
You could use |
That's a good idea, thank you @marcosnils |
not affecting secret mounting to dag kinda makes sense but not sure about modifying file content event it's a whitespace. I think, this issue would only apply to files like SSH keys or TLS certificates. There are two options available:
option 2 is kinda ugly but will make both sides happy. |
I don't think we should do this with options at the point of use. Secrets should be marked to do this at point of load. Something like @sipsma's suggestion in #6845 (review) seems reasonable:
That said, I'm almost tempted to suggest reverting #6845 since this is a pretty big edge case, but I have no suggestions to how to otherwise solve the original problem 🤔 So probably not an option. |
after reading this I reconsidered this option and it made sense. The example from #6845, uses |
I'm good with reverting the change to strip newlines. I think we could consider the inverse of my suggestion on that PR and instead support a CLI syntax that does strip newlines for use cases that call for that. But I think this situation proves it's probably better to default to the exact contents of the file/command/env var. |
What is the issue?
While working on #7202 I noticed that mounting an SSH key as a secret in a container always leads to
Load key "/ssh-key": error in libcrypto
errors.Dagger version
dagger v0.11.2 (registry.dagger.io/engine) darwin/arm64
Steps to reproduce
The code reproducing the issue can be found in my daggerverse:
Log output
The text was updated successfully, but these errors were encountered: