stacklok · dmjb · Mar 26, 2025 · Mar 26, 2025 · Mar 26, 2025 · JAORMX
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -7,6 +7,11 @@ tasks:
       - golangci-lint run ./...
       - go vet ./...
 
+  lint-fix:
+    desc: Run linting tools, and apply fixes.
+    cmds:
+      - golangci-lint run --fix ./...
+
   test:
     desc: Run tests
     cmds:

diff --git a/cmd/vt/main.go b/cmd/vt/main.go
@@ -43,6 +43,7 @@ func init() {
 	rootCmd.AddCommand(rmCmd)
 	rootCmd.AddCommand(proxyCmd)
 	rootCmd.AddCommand(versionCmd)
+	rootCmd.AddCommand(newSecretCommand())
 }
 
 func main() {

diff --git a/cmd/vt/run.go b/cmd/vt/run.go
@@ -25,6 +25,7 @@ var (
 	runNoClientConfig    bool
 	runForeground        bool
 	runVolumes           []string
+	runSecrets           []string
 )
 
 func init() {
@@ -59,6 +60,12 @@ func init() {
 		[]string{},
 		"Mount a volume into the container (format: host-path:container-path[:ro])",
 	)
+	runCmd.Flags().StringArrayVar(
+		&runSecrets,
+		"secret",
+		[]string{},
+		"Specify a secret to be fetched from the secrets manager and set as an environment variable (format: NAME,target=TARGET)",
+	)
 
 	// Add OIDC validation flags
 	AddOIDCFlags(runCmd)
@@ -101,6 +108,7 @@ func runCmdFunc(cmd *cobra.Command, args []string) error {
 		OIDCClientID:      oidcClientID,
 		Debug:             debugMode,
 		Volumes:           runVolumes,
+		Secrets:           runSecrets,
 	}
 
 	// Run the MCP server

diff --git a/cmd/vt/run_common.go b/cmd/vt/run_common.go
@@ -20,6 +20,7 @@ import (
 	"github.com/stacklok/vibetool/pkg/networking"
 	"github.com/stacklok/vibetool/pkg/permissions"
 	"github.com/stacklok/vibetool/pkg/process"
+	"github.com/stacklok/vibetool/pkg/secrets"
 	"github.com/stacklok/vibetool/pkg/transport"
 )
 
@@ -73,6 +74,10 @@ type RunOptions struct {
 	// Volumes are the directory mounts to pass to the container
 	// Format: "host-path:container-path[:ro]"
 	Volumes []string
+
+	// Secrets are the secret parameters to pass to the container
+	// Format: "<secret name>,target=<target environment variable>"
+	Secrets []string
 }
 
 // RunMCPServer runs an MCP server with the specified options
@@ -106,6 +111,22 @@ func RunMCPServer(ctx context.Context, cmd *cobra.Command, options RunOptions) e
 	// Generate a container name if not provided
 	containerName, baseName := container.GetOrGenerateContainerName(options.Name, options.Image)
 
+	// If any secrets are specified, attempt to load them, and add to list of environment variables.
+	if len(runSecrets) > 0 {
+		secretManager, err := secrets.CreateDefaultSecretsManager()
+		if err != nil {
+			return fmt.Errorf("error instantiating secret manager %v", err)
+		}
+		secretVariables, err := environment.ParseSecretParameters(runSecrets, secretManager)
+		if err != nil {
+			return fmt.Errorf("failed to get secrets: %v", err)
+		}
+
+		for key, value := range secretVariables {
+			runEnv = append(runEnv, fmt.Sprintf("%s=%s", key, value))
+		}
+	}
+
 	// Parse transport mode
 	transportType, err := transport.ParseTransportType(options.Transport)
 	if err != nil {

diff --git a/cmd/vt/secret.go b/cmd/vt/secret.go
@@ -0,0 +1,145 @@
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/stacklok/vibetool/pkg/secrets"
+)
+
+func newSecretCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "secret",
+		Short: "Manage secrets",
+		Long:  "The secret command provides subcommands to set, get, delete, and list secrets.",
+	}
+
+	cmd.AddCommand(
+		newSecretSetCommand(),
+		newSecretGetCommand(),
+		newSecretDeleteCommand(),
+		newSecretListCommand(),
+	)
+
+	return cmd
+}
+
+func newSecretSetCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "set <name> <value>",
+		Short: "Set a secret",
+		Args:  cobra.ExactArgs(2),
+		Run: func(cmd *cobra.Command, args []string) {
+			name, value := args[0], args[1]
+
+			// Validate input
+			if name == "" {
+				cmd.Println("Error: Secret name cannot be empty")
+				return
+			}
+
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			err = manager.SetSecret(name, value)
+			if err != nil {
+				cmd.Printf("Failed to set secret %s: %v\n", name, err)
+				return
+			}
+			cmd.Printf("Secret %s set successfully\n", name)
+		},
+	}
+}
+
+func newSecretGetCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "get <name>",
+		Short: "Get a secret",
+		Args:  cobra.ExactArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			name := args[0]
+
+			// Validate input
+			if name == "" {
+				cmd.Println("Error: Secret name cannot be empty")
+				return
+			}
+
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			value, err := manager.GetSecret(name)
+			if err != nil {
+				cmd.Printf("Failed to get secret %s: %v\n", name, err)
+				return
+			}
+			cmd.Printf("Secret %s: %s\n", name, value)
+		},
+	}
+}
+
+func newSecretDeleteCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "delete <name>",
+		Short: "Delete a secret",
+		Args:  cobra.ExactArgs(1),
+		Run: func(cmd *cobra.Command, args []string) {
+			name := args[0]
+
+			// Validate input
+			if name == "" {
+				cmd.Println("Error: Secret name cannot be empty")
+				return
+			}
+
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			err = manager.DeleteSecret(name)
+			if err != nil {
+				cmd.Printf("Failed to delete secret %s: %v\n", name, err)
+				return
+			}
+			cmd.Printf("Secret %s deleted successfully\n", name)
+		},
+	}
+}
+
+func newSecretListCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:   "list",
+		Short: "List all available secrets",
+		Args:  cobra.NoArgs,
+		Run: func(cmd *cobra.Command, _ []string) {
+			manager, err := secrets.CreateDefaultSecretsManager()
+			if err != nil {
+				cmd.Printf("Failed to create secrets manager: %v\n", err)
+				return
+			}
+
+			secretNames, err := manager.ListSecrets()
+			if err != nil {
+				cmd.Printf("Failed to list secrets: %v\n", err)
+				return
+			}
+
+			if len(secretNames) == 0 {
+				cmd.Println("No secrets found")
+				return
+			}
+
+			cmd.Println("Available secrets:")
+			for _, name := range secretNames {
+				cmd.Printf("  - %s\n", name)
+			}
+		},
+	}
+}
diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 
 require (
 	github.com/Microsoft/go-winio v0.4.14 // indirect
+	github.com/adrg/xdg v0.5.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect

diff --git a/go.sum b/go.sum
@@ -1,5 +1,7 @@
 github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
+github.com/adrg/xdg v0.5.3 h1:xRnxJXne7+oWDatRhR1JLnvuccuIeCoBu2rtuLqQB78=
+github.com/adrg/xdg v0.5.3/go.mod h1:nlTsY+NNiCBGCK2tpm09vRqfVzrc2fLmXGpBLF0zlTQ=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

diff --git a/pkg/environment/environment.go b/pkg/environment/environment.go
@@ -5,8 +5,33 @@ package environment
 import (
 	"fmt"
 	"strings"
+
+	"github.com/stacklok/vibetool/pkg/secrets"
 )
 
+// ParseSecretParameters parses the secret parameters from the command line,
+// fetches them from the secrets manager, and returns a map of secrets and
+// their environment variable names.
+func ParseSecretParameters(parameters []string, secretsManager secrets.Manager) (map[string]string, error) {
+	secretVariables := make(map[string]string, len(parameters))
+
+	for _, param := range parameters {
+		parameter, err := secrets.ParseSecretParameter(param)
+		if err != nil {
+			return nil, err
+		}
+
+		secret, err := secretsManager.GetSecret(parameter.Name)
+		if err != nil {
+			return nil, err
+		}
+
+		secretVariables[parameter.Target] = secret
+	}
+
+	return secretVariables, nil
+}
+
 // ParseEnvironmentVariables parses environment variables from a slice of strings
 // in the format KEY=VALUE
 func ParseEnvironmentVariables(envVars []string) (map[string]string, error) {