feat: pass secrets to agent via Manifest

evgeniy-scherbina · evgeniy-scherbina · commit ed1d05d1563b · 2025-07-23T20:36:33.000Z
diff --git a/agent/agent.go b/agent/agent.go
@@ -1410,6 +1410,8 @@ func (a *agent) updateCommandEnv(current []string) (updated []string, err error)
 	}
 	envs["PATH"] = fmt.Sprintf("%s%c%s", a.scriptRunner.ScriptBinDir(), filepath.ListSeparator, envs["PATH"])
 
+	//for _, manifest.
+
 	for k, v := range envs {
 		updated = append(updated, fmt.Sprintf("%s=%s", k, v))
 	}
diff --git a/agent/proto/agent.pb.go b/agent/proto/agent.pb.go
diff --git a/agent/proto/agent.proto b/agent/proto/agent.proto
@@ -99,7 +99,7 @@ message Manifest {
 	repeated WorkspaceAgentMetadata.Description metadata = 12;
 	repeated WorkspaceAgentDevcontainer devcontainers = 17;
 
-  map<string,Secret> user_secrets = 19;
+  repeated Secret user_secrets = 19;
 }
 
 message Secret {
diff --git a/coderd/agentapi/manifest.go b/coderd/agentapi/manifest.go
@@ -97,6 +97,8 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
 		return nil, xerrors.Errorf("fetching workspace agent data: %w", err)
 	}
 
+	_ = userSecrets
+
 	appSlug := appurl.ApplicationURL{
 		AppSlugOrPort: "{{port}}",
 		AgentName:     workspaceAgent.Name,
@@ -153,10 +155,10 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
 	}, nil
 }
 
-func dbUserSecretsToProto(userSecrets []database.UserSecret) map[string]*agentproto.Secret {
-	userSecretsProto := make(map[string]*agentproto.Secret)
-	for _, userSecret := range userSecrets {
-		userSecretsProto[userSecret.Name] = &agentproto.Secret{
+func dbUserSecretsToProto(userSecrets []database.UserSecret) []*agentproto.Secret {
+	userSecretsProto := make([]*agentproto.Secret, 0)
+	for i, userSecret := range userSecrets {
+		userSecretsProto[i] = &agentproto.Secret{
 			Name:     userSecret.Name,
 			EnvName:  userSecret.EnvName,
 			FilePath: userSecret.FilePath,
diff --git a/codersdk/agentsdk/agentsdk.go b/codersdk/agentsdk/agentsdk.go
@@ -114,6 +114,7 @@ type Manifest struct {
 	Metadata                 []codersdk.WorkspaceAgentMetadataDescription `json:"metadata"`
 	Scripts                  []codersdk.WorkspaceAgentScript              `json:"scripts"`
 	Devcontainers            []codersdk.WorkspaceAgentDevcontainer        `json:"devcontainers"`
+	UserSecrets              []codersdk.UserSecret                        `json:"user_secrets"`
 }
 
 type LogSource struct {
diff --git a/codersdk/agentsdk/convert.go b/codersdk/agentsdk/convert.go
@@ -43,6 +43,11 @@ func ManifestFromProto(manifest *proto.Manifest) (Manifest, error) {
 	if err != nil {
 		return Manifest{}, xerrors.Errorf("error converting workspace agent devcontainers: %w", err)
 	}
+	userSecrets, err := SecretsFromProto(manifest.UserSecrets)
+	if err != nil {
+		return Manifest{}, xerrors.Errorf("error converting workspace agent devcontainers: %w", err)
+	}
+
 	return Manifest{
 		ParentID:                 parentID,
 		AgentID:                  agentID,
@@ -62,6 +67,7 @@ func ManifestFromProto(manifest *proto.Manifest) (Manifest, error) {
 		DisableDirectConnections: manifest.DisableDirectConnections,
 		Metadata:                 MetadataDescriptionsFromProto(manifest.Metadata),
 		Devcontainers:            devcontainers,
+		UserSecrets:              userSecrets,
 	}, nil
 }
 
@@ -449,3 +455,23 @@ func ProtoFromDevcontainer(dc codersdk.WorkspaceAgentDevcontainer) *proto.Worksp
 		ConfigPath:      dc.ConfigPath,
 	}
 }
+
+func SecretsFromProto(pss []*proto.Secret) ([]codersdk.UserSecret, error) {
+	ret := make([]codersdk.UserSecret, len(pss))
+	for i, ps := range pss {
+		secret, err := SecretFromProto(ps)
+		if err != nil {
+			return nil, xerrors.Errorf("parse secret %v: %w", i, err)
+		}
+		ret[i] = secret
+	}
+	return ret, nil
+}
+
+func SecretFromProto(ps *proto.Secret) (codersdk.UserSecret, error) {
+	return codersdk.UserSecret{
+		Name:     ps.Name,
+		EnvName:  ps.EnvName,
+		FilePath: ps.FilePath,
+	}, nil
+}

Original file line number	Diff line number	Diff line change
`@@ -1410,6 +1410,8 @@ func (a *agent) updateCommandEnv(current []string) (updated []string, err error)`
`1410`	`1410`	`}`
`1411`	`1411`	`envs["PATH"] = fmt.Sprintf("%s%c%s", a.scriptRunner.ScriptBinDir(), filepath.ListSeparator, envs["PATH"])`
`1412`	`1412`
	`1413`	`+ //for _, manifest.`
	`1414`	`+`
`1413`	`1415`	`for k, v := range envs {`
`1414`	`1416`	`updated = append(updated, fmt.Sprintf("%s=%s", k, v))`
`1415`	`1417`	`}`
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ message Manifest {`
`99`	`99`	`repeated WorkspaceAgentMetadata.Description metadata = 12;`
`100`	`100`	`repeated WorkspaceAgentDevcontainer devcontainers = 17;`
`101`	`101`
`102`		`- map<string,Secret> user_secrets = 19;`
	`102`	`+ repeated Secret user_secrets = 19;`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`message Secret {`
Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,7 @@ type Manifest struct {`
`114`	`114`	Metadata []codersdk.WorkspaceAgentMetadataDescription `json:"metadata"`
`115`	`115`	Scripts []codersdk.WorkspaceAgentScript `json:"scripts"`
`116`	`116`	Devcontainers []codersdk.WorkspaceAgentDevcontainer `json:"devcontainers"`
	`117`	+ UserSecrets []codersdk.UserSecret `json:"user_secrets"`
`117`	`118`	`}`
`118`	`119`
`119`	`120`	`type LogSource struct {`