search

gptscript-ai / gptscript

Build AI assistants that interact with your systems
https://gptscript.ai
Apache License 2.0
2.98k stars 261 forks source link

feat: add sqlite credential store #853

Closed g-linville closed 1 week ago

g-linville commented 1 week ago

This adds a new credential store option, sqlite, which uses a pure Go SQLite driver with GORM to store credentials in a local SQLite database file.

By default, the SQLite file will be created at <xdg config dir>/gptscript/credentials.db, though this can be overridden with an environment variable. We also check for a Kubernetes EncryptionConfiguration file at <xdg config dir>/gptscript/encryptionconfig.yaml (this path can also be overridden with an environment variable). If this config file is present, we use it for configuration. We can do AES-GCM with a locally stored key, or something fancier like a KMS v2 plugin to support AWS KMS or some other third party service.

Here is an example encryptionconfig.yaml to use AES-GCM:

kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
  - credentials
  providers:
  - aesgcm:
      keys:
      - name: myKey
        secret: <encryption key encoded in base64>

For now I think we want to leave this undocumented? Let me know if I should remove the references to it in the error output (the output we display to the user when they configure an invalid credential store in their config file).

g-linville commented 1 week ago

Temporarily moved back to draft because I found a bug in my stacked credentials implementation. Working on it...

g-linville commented 1 week ago

Should be good now.

g-linville commented 1 week ago

Closing this since I am going to reimplement it as a separate application that we use as a credential helper.