Managing Secrets



Data Injection

Cue can inject data from the command line into your configurations.

inject.cue

package inject

// @tag() is how we inject data
username: string @tag(username)
password: string @tag(password)

// A schema for DBs with some defaults
#DB: {
	host: string
	port: string | *"5432"
	db:   string | *"mydb"
	user: username
	pass: password

	// interpolate the fields into the connection string
	conn: "postgres://\(user):\(pass)@\(host):\(port)/\(db)"
}

// setup our databases
database: [Env=string]: #DB
database: {
	dev: host: "postgres.dev"
	stg: host: "postgres.stg"
	prd: host: "postgres.prd"
}
# -t key=value  -e to eval a specific value
$ cue eval inject.cue -t username="someone" -t password="abc123" -e database.dev.conn
"postgres://someone:abc123@postgres.dev:5432/mydb"

Combining Files

You can combine multiple Cue files. Note how the secret values are structured the same and the secret file does not have a package name.

app.cue

package app

secrets: {
	username: string
	password: string
}

app: {
	creds: {
		user: secrets.username
		pass: secrets.password
	}
}

secret.cue

secrets: {
	username: "prd-user"
	password: "prd-pass"
}
$ cue eval app.cue secret.cue 
secrets: {
    username: "prd-user"
    password: "prd-pass"
}
app: {
    creds: {
        user: "prd-user"
        pass: "prd-pass"
    }
}

2021 Hofstadter, Inc