engine-wide dagql caching (#9682)

* share dagql cache across sessions

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* various tangential git fixes, module cache key fix, more tests

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* secrets refactor

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* handle postcall secret transfer across sessions

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* services wip

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* hacky fix to cross-session telemetry

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* rebase fixes

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* support cached telemetry from dagql cache hits

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fixup

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* send telemetry once per session for given key

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* basic cleanup

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix client init w/ module containing secrets

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix cmd/introspect compile error

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix dagql_test compile errors

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* more unit test fixes; rm extraneous secret unit test

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix panic from setSecretFile

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* regen

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* rough fix for dep module load cache hit corner case

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix TestDaggerGitRefs

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* check auth in gitdns source always

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* remove now invalidated separate secret stores test

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix TestClientGenerator issue w/ stable client id

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix git services + git tree content hash + context dir load

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* add cross-session secret uri test

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* include ctxargs as input resources

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* ensure git authSock in DAG; rm stray SetSecret per-session cache key

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix panic from unset client.dag after merge

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* update dagql unit tests after merge

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix concurrent map write panic

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix nil panic w/ local git repos

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* misc cleanup

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* regen

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* update telemetry tests

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* address lints

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* first batch of fixes from feedback

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* update TODO comment

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* adjust llm tests to account for more caching

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* remove unixSocket dep on __internalSocket

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* update llm unit tests

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* deprecate setSecretFile

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* cleanup stray TODO comments/add a couple extra tests

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* regen

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* fix dotnet sdk check failure

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

* regen

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

---------

Signed-off-by: Erik Sipsma <erik@sipsma.dev>

Author: sipsma

cmd/codegen/generator/go/templates/modules.go

@@ -361,7 +361,7 @@ func dispatch(ctx context.Context) (rerr error) {
 	defer func() {
 		if rerr != nil {
 			if ` + voidRet + ` := fnCall.ReturnError(ctx, convertError(rerr)); err != nil {
-				fmt.Println("failed to return error:", err)
+				fmt.Println("failed to return error:", err, "\noriginal error:", rerr)
 			}
 		}
 	}()

cmd/introspect/main.go

@@ -10,13 +10,15 @@ import (
 	"github.com/dagger/dagger/core"
 	"github.com/dagger/dagger/core/schema"
 	"github.com/dagger/dagger/dagql"
+	"github.com/dagger/dagger/engine/cache"
+	"github.com/opencontainers/go-digest"
 )
 
 func main() {
 	ctx := context.Background()
 
 	root := &core.Query{}
-	dag := dagql.NewServer(root)
+	dag := dagql.NewServer(root, dagql.NewSessionCache(cache.NewCache[digest.Digest, dagql.Typed]()))
 	coreMod := &schema.CoreMod{Dag: dag}
 	if err := coreMod.Install(ctx, dag); err != nil {
 		panic(err)

core/container.go

@@ -30,6 +30,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/vektah/gqlparser/v2/ast"
 	"go.opentelemetry.io/otel/propagation"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/dagger/dagger/dagql"
 	"github.com/dagger/dagger/dagql/call"
@@ -185,7 +186,7 @@ func (owner Ownership) Opt() llb.ChownOption {
 // ContainerSecret configures a secret to expose, either as an environment
 // variable or mounted to a file path.
 type ContainerSecret struct {
-	Secret    *Secret
+	Secret    dagql.Instance[*Secret]
 	EnvName   string
 	MountPath string
 	Owner     *Ownership
@@ -388,7 +389,7 @@ func (container *Container) Build(
 	dockerfile string,
 	buildArgs []BuildArg,
 	target string,
-	secrets []*Secret,
+	secrets []dagql.Instance[*Secret],
 	secretStore *SecretStore,
 	noInit bool,
 ) (*Container, error) {
@@ -399,15 +400,15 @@ func (container *Container) Build(
 
 	secretNameToLLBID := make(map[string]string)
 	for _, secret := range secrets {
-		secretName, ok := secretStore.GetSecretName(secret.IDDigest)
+		secretName, ok := secretStore.GetSecretName(secret.ID().Digest())
 		if !ok {
-			return nil, fmt.Errorf("secret not found: %s", secret.IDDigest)
+			return nil, fmt.Errorf("secret not found: %s", secret.ID().Digest())
 		}
 		container.Secrets = append(container.Secrets, ContainerSecret{
 			Secret:    secret,
 			MountPath: fmt.Sprintf("/run/secrets/%s", secretName),
 		})
-		secretNameToLLBID[secretName] = secret.IDDigest.String()
+		secretNameToLLBID[secretName] = secret.ID().Digest().String()
 	}
 
 	// set image ref to empty string
@@ -730,7 +731,13 @@ func (container *Container) WithMountedTemp(ctx context.Context, target string,
 	return container, nil
 }
 
-func (container *Container) WithMountedSecret(ctx context.Context, target string, source *Secret, owner string, mode fs.FileMode) (*Container, error) {
+func (container *Container) WithMountedSecret(
+	ctx context.Context,
+	target string,
+	source dagql.Instance[*Secret],
+	owner string,
+	mode fs.FileMode,
+) (*Container, error) {
 	container = container.Clone()
 
 	target = absPath(container.Config.WorkingDir, target)
@@ -840,7 +847,11 @@ func (container *Container) WithoutUnixSocket(ctx context.Context, target string
 	return container, nil
 }
 
-func (container *Container) WithSecretVariable(ctx context.Context, name string, secret *Secret) (*Container, error) {
+func (container *Container) WithSecretVariable(
+	ctx context.Context,
+	name string,
+	secret dagql.Instance[*Secret],
+) (*Container, error) {
 	container = container.Clone()
 
 	container.Secrets = append(container.Secrets, ContainerSecret{
@@ -1623,7 +1634,11 @@ func (container *Container) AsServiceLegacy(ctx context.Context) (*Service, erro
 			return nil, err
 		}
 	}
-	return container.Query.NewContainerService(ctx, container), nil
+	return &Service{
+		Creator:   trace.SpanContextFromContext(ctx),
+		Query:     container.Query,
+		Container: container,
+	}, nil
 }
 
 func (container *Container) AsService(ctx context.Context, args ContainerAsServiceArgs) (*Service, error) {
@@ -1658,7 +1673,11 @@ func (container *Container) AsService(ctx context.Context, args ContainerAsServi
 		return nil, err
 	}
 
-	return container.Query.NewContainerService(ctx, container), nil
+	return &Service{
+		Creator:   trace.SpanContextFromContext(ctx),
+		Query:     container.Query,
+		Container: container,
+	}, nil
 }
 
 func (container *Container) ownership(ctx context.Context, owner string) (*Ownership, error) {

core/container_exec.go

@@ -194,7 +194,7 @@ func (container *Container) WithExec(ctx context.Context, opts ContainerExecOpts
 	}
 
 	for i, secret := range container.Secrets {
-		secretOpts := []llb.SecretOption{llb.SecretID(secret.Secret.LLBID())}
+		secretOpts := []llb.SecretOption{llb.SecretID(secret.Secret.ID().Digest().String())}
 
 		var secretDest string
 		switch {

core/contenthash.go

@@ -30,24 +30,37 @@ func MakeDirectoryContentHashed(
 	bk *buildkit.Client,
 	dirInst dagql.Instance[*Directory],
 ) (retInst dagql.Instance[*Directory], err error) {
+	dgst, err := GetContentHashFromDirectory(ctx, bk, dirInst)
+	if err != nil {
+		return retInst, fmt.Errorf("failed to get content hash: %w", err)
+	}
+
+	return dirInst.WithDigest(dgst), nil
+}
+
+func GetContentHashFromDirectory(
+	ctx context.Context,
+	bk *buildkit.Client,
+	dirInst dagql.Instance[*Directory],
+) (digest.Digest, error) {
 	if dirInst.Self == nil {
-		return retInst, fmt.Errorf("directory instance is nil")
+		return "", fmt.Errorf("directory instance is nil")
 	}
 
 	st, err := dirInst.Self.State()
 	if err != nil {
-		return retInst, fmt.Errorf("failed to get state: %w", err)
+		return "", fmt.Errorf("failed to get state: %w", err)
 	}
 	def, err := st.Marshal(ctx, llb.Platform(dirInst.Self.Platform.Spec()))
 	if err != nil {
-		return retInst, fmt.Errorf("failed to marshal state: %w", err)
+		return "", fmt.Errorf("failed to marshal state: %w", err)
 	}
 	dgst, err := GetContentHashFromDef(ctx, bk, def.ToPB(), dirInst.Self.Dir)
 	if err != nil {
-		return retInst, fmt.Errorf("failed to get content hash: %w", err)
+		return "", fmt.Errorf("failed to get content hash: %w", err)
 	}
 
-	return dirInst.WithDigest(dgst), nil
+	return dgst, nil
 }
 
 func GetContentHashFromDef(
@@ -100,7 +113,7 @@ func GetContentHashFromDef(
 		}
 
 		ctx, span := Tracer(ctx).Start(ctx,
-			fmt.Sprintf("checksum def: %s", ref.ID()),
+			fmt.Sprintf("checksum def: %s", key),
 			telemetry.Internal(),
 		)
 		defer telemetry.End(span, func() error { return rerr })

core/git.go

@@ -131,8 +131,8 @@ type RemoteGitRepository struct {
 	Services ServiceBindings
 	Platform Platform
 
-	AuthToken  *Secret
-	AuthHeader *Secret
+	AuthToken  dagql.Instance[*Secret]
+	AuthHeader dagql.Instance[*Secret]
 }
 
 var _ GitRepositoryBackend = (*RemoteGitRepository)(nil)
@@ -271,6 +271,19 @@ func (ref *RemoteGitRef) Commit(ctx context.Context) (string, error) {
 	if err != nil {
 		return "", err
 	}
+
+	if len(ref.Repo.Services) > 0 {
+		svcs, err := ref.Query.Services(ctx)
+		if err != nil {
+			return "", err
+		}
+		detach, _, err := svcs.StartBindings(ctx, ref.Repo.Services)
+		if err != nil {
+			return "", err
+		}
+		defer detach()
+	}
+
 	p, err := resolveProvenance(ctx, bk, st)
 	if err != nil {
 		return "", err
@@ -293,11 +306,11 @@ func (ref *RemoteGitRef) getState(ctx context.Context, discardGitDir bool) (llb.
 	if ref.Repo.SSHAuthSocket != nil {
 		opts = append(opts, llb.MountSSHSock(ref.Repo.SSHAuthSocket.LLBID()))
 	}
-	if ref.Repo.AuthToken != nil {
-		opts = append(opts, llb.AuthTokenSecret(ref.Repo.AuthToken.LLBID()))
+	if ref.Repo.AuthToken.Self != nil {
+		opts = append(opts, llb.AuthTokenSecret(ref.Repo.AuthToken.ID().Digest().String()))
 	}
-	if ref.Repo.AuthHeader != nil {
-		opts = append(opts, llb.AuthHeaderSecret(ref.Repo.AuthHeader.LLBID()))
+	if ref.Repo.AuthHeader.Self != nil {
+		opts = append(opts, llb.AuthHeaderSecret(ref.Repo.AuthHeader.ID().Digest().String()))
 	}
 
 	clientMetadata, err := engine.ClientMetadataFromContext(ctx)

core/host.go

@@ -1,12 +1,7 @@
 package core
 
 import (
-	"context"
-	"fmt"
-
 	"github.com/vektah/gqlparser/v2/ast"
-
-	"github.com/dagger/dagger/dagql"
 )
 
 type Host struct {
@@ -23,48 +18,3 @@ func (*Host) Type() *ast.Type {
 func (*Host) TypeDescription() string {
 	return "Information about the host environment."
 }
-
-func (host *Host) SetSecretFile(ctx context.Context, srv *dagql.Server, secretName string, path string) (i dagql.Instance[*Secret], err error) {
-	secretStore, err := host.Query.Secrets(ctx)
-	if err != nil {
-		return i, fmt.Errorf("failed to get secrets: %w", err)
-	}
-
-	accessor, err := GetClientResourceAccessor(ctx, host.Query, secretName)
-	if err != nil {
-		return i, err
-	}
-
-	bk, err := host.Query.Buildkit(ctx)
-	if err != nil {
-		return i, fmt.Errorf("failed to get buildkit client: %w", err)
-	}
-
-	secretFileContent, err := bk.ReadCallerHostFile(ctx, path)
-	if err != nil {
-		return i, fmt.Errorf("read secret file: %w", err)
-	}
-
-	err = srv.Select(ctx, srv.Root(), &i, dagql.Selector{
-		Field: "loadSecretFromName",
-		Args: []dagql.NamedInput{
-			{
-				Name:  "name",
-				Value: dagql.NewString(secretName),
-			},
-			{
-				Name:  "accessor",
-				Value: dagql.Opt(dagql.NewString(accessor)),
-			},
-		},
-	})
-	if err != nil {
-		return i, fmt.Errorf("failed to select secret: %w", err)
-	}
-
-	if err := secretStore.AddSecret(i.Self, secretName, secretFileContent); err != nil {
-		return i, fmt.Errorf("failed to add secret: %w", err)
-	}
-
-	return i, nil
-}

core/integration/container_test.go

@@ -4792,6 +4792,7 @@ func (ContainerSuite) TestEnvExpand(ctx context.Context, t *testctx.T) {
 		dir := t.TempDir()
 		require.NoError(t, os.WriteFile(filepath.Join(dir, "some-file"), data, 0o600))
 
+		//nolint:staticcheck // SA1019 deprecated
 		secret := c.Host().SetSecretFile("mysecret", filepath.Join(dir, "some-file"))
 		output, err := c.Container().
 			From("alpine:latest").