feat: add sqlite credential store #853
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Grant Linville <[email protected]>
g-linville
commented
Sep 18, 2024
| @@ -11,6 +11,7 @@ require ( | |||
| github.com/docker/docker-credential-helpers v0.8.1 | |||
| github.com/fatih/color v1.17.0 | |||
| github.com/getkin/kin-openapi v0.124.0 | |||
| github.com/glebarez/sqlite v1.11.0 | |||
There was a problem hiding this comment.
This is the pure Go SQLite driver for GORM.
g-linville
commented
Sep 18, 2024
Comment on lines
+41
to
+42
| k8s.io/apimachinery v0.31.1 | ||
| k8s.io/apiserver v0.31.1 |
There was a problem hiding this comment.
I got approval from Darren to include whatever k8s dependencies were necessary to do encryption the same way we did it in mink.
Signed-off-by: Grant Linville <[email protected]>
g-linville
requested review from
drpebcak,
thedadams,
StrongMonkey and
tylerslaton
|
Temporarily moved back to draft because I found a bug in my stacked credentials implementation. Working on it... |
Signed-off-by: Grant Linville <[email protected]>
|
Should be good now. |
Signed-off-by: Grant Linville <[email protected]>
|
Closing this since I am going to reimplement it as a separate application that we use as a credential helper. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a new credential store option,
sqlite, which uses a pure Go SQLite driver with GORM to store credentials in a local SQLite database file.By default, the SQLite file will be created at
<xdg config dir>/gptscript/credentials.db, though this can be overridden with an environment variable. We also check for a KubernetesEncryptionConfigurationfile at<xdg config dir>/gptscript/encryptionconfig.yaml(this path can also be overridden with an environment variable). If this config file is present, we use it for configuration. We can do AES-GCM with a locally stored key, or something fancier like a KMS v2 plugin to support AWS KMS or some other third party service.Here is an example encryptionconfig.yaml to use AES-GCM:
For now I think we want to leave this undocumented? Let me know if I should remove the references to it in the error output (the output we display to the user when they configure an invalid credential store in their config file).