Skip to content

Commit 5c7fd97

Browse files
yoonsioyoonsio
authored
Support file-mounted secret for cloud-agents (#677)
* support file-mounted secret * sync latest protocol and add file mountable agent secret * fix overwrite confirm bug * do not diplay secret kind until cloud-agents is released
1 parent f1503d9 commit 5c7fd97

File tree

1 file changed

+42
-5
lines changed

1 file changed

+42
-5
lines changed

cmd/lk/agent.go

Lines changed: 42 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,10 @@ import (
3737
"github.com/livekit/protocol/logger"
3838
)
3939

40+
const (
41+
maxSecretFileSize = 1024 * 1024 // 1MB
42+
)
43+
4044
var (
4145
idFlag = func(required bool) *cli.StringFlag {
4246
return &cli.StringFlag{
@@ -65,6 +69,12 @@ var (
6569
Required: false,
6670
}
6771

72+
secretsMountFlag = &cli.StringSliceFlag{
73+
Name: "secret-mount",
74+
Usage: "Local path to a secret file to be mounted on agent environment",
75+
Required: false,
76+
}
77+
6878
logTypeFlag = &cli.StringFlag{
6979
Name: "log-type",
7080
Usage: "Type of logs to retrieve. Valid values are 'deploy' and 'build'",
@@ -142,6 +152,7 @@ var (
142152
Flags: []cli.Flag{
143153
secretsFlag,
144154
secretsFileFlag,
155+
secretsMountFlag,
145156
silentFlag,
146157
regionFlag,
147158
skipSDKCheckFlag,
@@ -185,6 +196,7 @@ var (
185196
Flags: []cli.Flag{
186197
secretsFlag,
187198
secretsFileFlag,
199+
secretsMountFlag,
188200
skipSDKCheckFlag,
189201
},
190202
// NOTE: since secrets may contain commas, or indeed any special character we might want to treat as a flag separator,
@@ -210,6 +222,7 @@ var (
210222
Flags: []cli.Flag{
211223
secretsFlag,
212224
secretsFileFlag,
225+
secretsMountFlag,
213226
},
214227
// NOTE: since secrets may contain commas, or indeed any special character we might want to treat as a flag separator,
215228
// we disable it entirely here and require multiple --secrets flags to be used.
@@ -302,6 +315,7 @@ var (
302315
Flags: []cli.Flag{
303316
secretsFlag,
304317
secretsFileFlag,
318+
secretsMountFlag,
305319
idFlag(false),
306320
&cli.BoolFlag{
307321
Name: "overwrite",
@@ -1041,6 +1055,7 @@ func listAgentSecrets(ctx context.Context, cmd *cli.Command) error {
10411055
return fmt.Errorf("unable to list agent secrets: %w", err)
10421056
}
10431057

1058+
// TODO (steveyoon): show secret.Kind.String() once cloud-agents is released
10441059
table := util.CreateTable().
10451060
Headers("Name", "Created At", "Updated At")
10461061

@@ -1080,10 +1095,9 @@ func updateAgentSecrets(ctx context.Context, cmd *cli.Command) error {
10801095
).Run(); err != nil {
10811096
return err
10821097
}
1083-
}
1084-
1085-
if !confirmOverwrite {
1086-
return nil
1098+
if !confirmOverwrite {
1099+
return nil
1100+
}
10871101
}
10881102

10891103
req := &lkproto.UpdateAgentSecretsRequest{
@@ -1184,17 +1198,39 @@ func requireSecrets(_ context.Context, cmd *cli.Command, required, lazy bool) ([
11841198
silent := cmd.Bool("silent")
11851199
secrets := make(map[string]*lkproto.AgentSecret)
11861200

1201+
mountableSecretFiles := cmd.StringSlice("secret-mount")
1202+
for _, filePath := range mountableSecretFiles {
1203+
fileInfo, err := os.Stat(filePath)
1204+
if err != nil {
1205+
return nil, fmt.Errorf("failed to get secret file: %w", err)
1206+
}
1207+
if fileInfo.Size() > maxSecretFileSize {
1208+
return nil, fmt.Errorf("secret file size is too large (must be under %d MB): %s", maxSecretFileSize/(1024*1024), filePath)
1209+
}
1210+
fileContent, err := os.ReadFile(filePath)
1211+
if err != nil {
1212+
return nil, fmt.Errorf("failed to read secret file: %w", err)
1213+
}
1214+
name := fileInfo.Name()
1215+
agentSecret := &lkproto.AgentSecret{
1216+
Name: name,
1217+
Value: []byte(fileContent),
1218+
Kind: lkproto.AgentSecretKind_AGENT_SECRET_KIND_FILE,
1219+
}
1220+
secrets[name] = agentSecret
1221+
}
1222+
11871223
if values, err := parseKeyValuePairs(cmd, "secrets"); err != nil {
11881224
return nil, fmt.Errorf("failed to parse secrets: %w", err)
11891225
} else {
11901226
for key, val := range values {
11911227
agentSecret := &lkproto.AgentSecret{
11921228
Name: key,
11931229
Value: []byte(val),
1230+
Kind: lkproto.AgentSecretKind_AGENT_SECRET_KIND_ENVIRONMENT,
11941231
}
11951232
secrets[key] = agentSecret
11961233
}
1197-
11981234
}
11991235

12001236
shouldReadFromDisk := cmd.IsSet("secrets-file") || !lazy || (required && len(secrets) == 0)
@@ -1215,6 +1251,7 @@ func requireSecrets(_ context.Context, cmd *cli.Command, required, lazy bool) ([
12151251
secret := &lkproto.AgentSecret{
12161252
Name: k,
12171253
Value: []byte(v),
1254+
Kind: lkproto.AgentSecretKind_AGENT_SECRET_KIND_ENVIRONMENT,
12181255
}
12191256
secrets[k] = secret
12201257
}

0 commit comments

Comments
 (0)