Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces support for creating a target secret on compile time, if the secret does not already exist.
Target secrets have been introduced a few commits ago and have proven to work well. However when using reclass inventory interpolation for target secret tags, you will be forced to create all of the interpolated target secrets manually as compilation will fail.
To solve this problem, this PR proposes the following new (optional) form of secret tags:
?{gpg:path/to/new_secret|randomstr:32}
Or interpolating
${target_name}
:?{gpg:targets/${target_name}/new_secret|randomstr:16}
If
path/to/new_secret
does not exist undersecrets_path
it evaluatesrandomstr:32
, a function supported in this PR, which returns a 32 (as parameterised) byte-log random string generated by https://docs.python.org/3/library/secrets.html#secrets.token_urlsafe and creates the secret with its content.randomstr
can also be evaluated without a parameter and a base64 encoded version of it is also available asrandomstrb64
(which mimics the --base64 flag inkapitan secrets
command line).Note that this only supports target secrets and requires the recipients to be set in the inventory for the target being compiled. Once the target secret is created from a function, it will not be recreated.