feat: template secret builder from multiple secrets #30
Conversation
This feature adds a dynamic option for secrets customization to needs of the target app. Closes: securestart#21
prochac
force-pushed
the
feat-secret-templates
branch
from
ee2ac91 to
381e632
Compare
|
Sorry for noisy changes, I also run https://github.com/mvdan/gofumpt on it |
| keys: | ||
| API_KEY: API_SECRET_KEY | ||
| APP_NAME: == | ||
| templates: # Use classic Go text/template syntax | ||
| PG_DSN: | | ||
| postgresql://{{ .Env.PG_USER }}:{{ .Env.PG_PASS }}@{{ .Env.PG_HOST }}:5432/{{ .Env.PG_DATABASE }} |
There was a problem hiding this comment.
I have a weird feeling about this. The keys field is src -> dst, meanwhile templates is dst <- src1+src2 :/
But templates reversing is impossible, and reversing keys breaks the backward compatibility.
There was a problem hiding this comment.
why having separate attributes for the templates ? I guess it should be easier to directly apply it to the keys. It would be similar to expandConfigTemplates
providers:
- kind: dotenv
path: .env.templates
keys:
PG_DSN: postgresql://{{ .PG_USER }}:{{ .PG_PASS }}@{{ .PG_HOST }}:5432/{{ .PG_DATABASE }}
There was a problem hiding this comment.
but then we need to fix the behavior of keys. Previously the idea is to have advanced mapping under the keys so that user can rename the key upon load. This also could be used to choose the keys to load.
When I saw my example, now it's ambiguous. Is it load everything plus PG_DSN, or it only contains PG_DSN. Based on the current behaviour, it will be only PG_DSN. 🤔
| ID string `yaml:"id,omitempty"` // Optional: defaults to 'kind'. Required if multiple providers share the same kind | ||
| Config map[string]interface{} `yaml:"-"` // Provider-specific configuration (e.g., path, region, endpoint, etc.) | ||
| Keys map[string]string `yaml:"keys,omitempty"` // Optional key mappings (source_key: target_key, or "==" to keep same name) | ||
| Templates []*template.Template `yaml:"templates,omitempty"` // Optional templates mappings (target_key: str(Go template)) |
There was a problem hiding this comment.
note for me: fix the comment, it's not a map
| } | ||
| tmpl := template.New(k) | ||
| if _, err := tmpl.Parse(str); err != nil { | ||
| return err |
There was a problem hiding this comment.
note for me: use fmt.Errorf
|
|
||
| tmplKvs, err := execTemplates(kvs, providerCfg.Templates) | ||
| if err != nil { | ||
| return nil, err |
| if mappedKey, exists := keys[k]; exists { | ||
| if mappedKey == "==" { | ||
| targetKey = k // Keep same name | ||
| } else { | ||
| targetKey = mappedKey | ||
| } | ||
| } else if len(keys) == 0 { | ||
| // No keys specified means map everything | ||
| targetKey = k | ||
| } else { | ||
| // Skip keys not in the mapping | ||
| continue | ||
| } |
There was a problem hiding this comment.
note for me: try refactor this
2 participants
This feature adds a dynamic option for secrets customization to needs of the target app.
Closes: #21