-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quote multi-line values in @SUMMONENVFILE #184
Conversation
7bb3056
to
ea7824b
Compare
Will also fix #31 I guess |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mcanevet,
Thank you for submitting this pull request! This will be a good change to get in, for sure.
I've done a first pass look through the code, and it looks good.
Would you be able to add a test case to this to the internal/command/action_test.go
for this? Also, some of the existing unit tests get broken by this change. (To run the UT, do go test
from the internal/command/
directory). Let me know if you need any help with this.
Thank you!
@diverdane I fixed the tests and I guess the |
@mcanevet, I experimented with this some more today, and I realized that we may have some backwards compatibility issues if we add this feature. The concern is that every value in the @SUMMONENVFILE is going to be double-quoted, and Docker treats everything after the So, for example, if I have a very basic
With Existing SummonWith the existing summon, I see this string without quotes in the @SUMMONENVFILE and in the environment of a container using this: $ summon cat @SUMMONENVFILE
FOO=The rain in Spain
$ summon docker run --env-file @SUMMONENVFILE alpine sh -c 'echo $FOO'
The rain in Spain
$ summon docker run --env-file @SUMMONENVFILE bash bash -c 'echo $FOO'
The rain in Spain
$ summon docker run --env-file @SUMMONENVFILE -it bash bash
bash-5.1# echo "$FOO"
The rain in Spain
bash-5.1# exit
exit
$ With Quoted Values in SUMMONENVFILEWith a summon that incorporates changes from this PR, everything shows up with quotes: $ ./new-summon cat @SUMMONENVFILE
FOO="The rain in Spain"
$ ./new-summon docker run --env-file @SUMMONENVFILE alpine sh -c 'echo $FOO'
"The rain in Spain"
$ ./new-summon docker run --env-file @SUMMONENVFILE bash bash -c 'echo $FOO'
"The rain in Spain"
$ ./new-summon docker run --env-file @SUMMONENVFILE -it bash bash
bash-5.1# echo "$FOO"
"The rain in Spain"
bash-5.1# exit
exit
$ I'm concerned that customers currently using Summon + Docker with SUMMONENVFILE might get thrown off by the introduction of the double quotes. For your use case, would it be possible to use base64 encoded certificates (and base64 decode them in the container)? Or use the |
Hi @mcanevet. Thought I'd chime into the conversation since I've just been dealing with the same issue. A better way to inject secrets from summon into DockerI was motivated by the need to use the secrets from summon inside a docker container. @SUMMONENVFILE wasn't particularly useful because
I went with the approach below, where I define a bash function
The benefit of (3) is that summon is still managing these files so when it dies then those files are cleaned up by summon.
I've condensed all this functionality under the definition of
Example usage of summon_docker_runBelow I provide some example usage of
This results in the following output from within the container. As we can see below multiline values are supported, and variables using the
|
A better way to inject secrets from summon into Docker contniued...My suggestion above is only useful if your goal is to lift summon secrets into a docker container, which is definitely a usecase I've personally come across time and again. This has prompted me to consider supporting
Supporting multiline values in envfiles generated from summon secretsBack to envfiles... There are definitely instances where an envfile is all that's necessary e.g. using dotenv in Node.js which supports multiline values through double quotes (see https://www.npmjs.com/package/dotenv#rules). dotenv in Node.js has a set of rules for double quotes which I'm not sure is ubiquitous. I think it'd be good to survey the landscape of envfiles and see if there's a standard for multiline values that we can adopt. To maintain backwards compatibility we can leave |
Actually my main goal is to extract all secrets into a dotenv file in a Gitlab CI job, then pass them as an artifact to the next job that will source the dotenv file. I guess @SUMMONENVFILE is not only broken for Docker usage, but also when using |
I REALLY like the @doodlesbykumbi 's idea of implementing a @SUMMONDOCKEROPTS command line option to support passing multiline secrets to Docker (using For your purposes, would it be possible to script this up (or create a Golang exec) by adding post-processing to the existing Summon, e.g. something that does:
|
@mcanevet If you're referring to using artifacts:reports:dotenv, as in https://docs.gitlab.com/ee/ci/variables/#inherit-environment-variables, I'm not sure that supports multiline values. The rules for it are more restricted. For example,
envfiles are tricky. env_summon suggestion for envfilesI whipped us
env_summon usageGiven
You can use
Or to generate a shell file that can sourced and exports the environment variables (i.e.
|
I'm not sure this problem is limited to docker. I guess @SUMMONENVFILE should be "sourceable" in any shell using the |
I'm not sure envfiles are, in general, guaranteed to be "sourceable". For that they'd need to escape the values in a myriad of ways that go beyond doubles quotes, |
@mcanevet, are you able to add this support outside of summon (i.e. retrieve secrets from summon, and then create a custom dotenv file with quoting for the multiline secrets)? I'd like to close this PR if so. |
Don't you think the best solution would be to keep the quoting when the value contains at least one |
Hi @mcanevet, My preference would be to avoid modifying summon to do something that I feel is a very special case. I'm also concerned that the documentation for this is going to be a bit awkward. I believe that your particular use case can be handled fairly easily without modifying summon, by using a bash script that takes the SUMMONENVFILE output from summon and does the translation you need, and writing that script's output to a dotenv file. I've created a bash script to do just that. The invocation looks like this (where
The
Here's an example usage, where I have two variables, one of which has a multiline value:
Please let me know what you think. |
@diverdane thanks for taking time to find a proper solution that match my needs. Your script would indeed do the trick, I'll try to use it. |
543bc48
to
ce19c7c
Compare
@diverdane I rebased this PR on top of #188 and I only quote value when it contains multiple lines (see the tests). |
I'm not sure that your shell script would work with a value containing a GPG or SSH key (my use case), as the last line will match the |
Hi @mcanevet, I'll take a look at your other PR. In the meantime, have you considered |
@diverdane well, having it base64 encoded would not be a solution for me, because this are secrets I want to use also without using @SUMMONENVFILE and a script in the middle. |
ce19c7c
to
bc58b2c
Compare
@diverdane I rebased this PR. It's way more simple now. |
bc58b2c
to
39656f6
Compare
@diverdane I rebased this PR. I'm wondering if you still disagree on the fact that it's a generic use case to be able to source |
@mcanevet Apologies for not responding sooner. There's been some internal discussion. We've converged on providing primitives that allow users to implement this kind of functionality on their own. We would like to avoid building special cases into Summon. We're still thinking about the right primitives, however we currently have in mind
There's an issue for (1) over at #199. We'd love to get your thoughts and feedback on these and the general approach. |
@mcanevet For (2) we are considering providing some canned output formats and an envfile with quoted strings could be one of them. |
@mcanevet Following the comments above we're going to close this PR for now as we finalise (1), (2) and beyond. Please allow me to reiterate that we greatly appreciate your contribution and would love your thoughts and feedback moving forward. |
What does this PR do?
If a secret contains a multi-line value,
@SUMMONENVFILE
is not sourceable because the value must be quoted.The PR changes way more thing then I expected, but it was needed due to the fact that the formatting is done the same way for environment variables and environment file.
What ticket does this PR close?
Resolves #31
Checklists
Change log
Test coverage
Documentation
README
s) were updated in this PR, and/or there is a follow-on issue to update docs, or