Add CLI config overrides and ENV injection #1323
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tsandall
reviewed
Apr 9, 2019
|
@patrick-east LGTM. Go ahead and squash your changes and then merge. |
patrick-east
force-pushed
the
env-config
branch
from
cb81697
to
c2378bf
Compare
We will use it (or a modified version) to allow for setting config easier on the CLI. Signed-off-by: Patrick East <east.patrick@gmail.com>
There are two new CLI options added with this change for the `opa run`
sub command.
`--set`
`--set-file`
These allow for overriding config options on the CLI using `key=value`
options to reference the YAML/JSON config structures. The `--set` value
expects to take in the value you want to set while the `--set-file` value is
a path to a file which will be read for the value of the file. This is primarily
useful for secrets mounted as files on a host.
In addition this adds in some simple environment variable injection so that a
deployer can specify environment variables in the config via ${NAME} syntax.
At the time the config is loaded from file it will inject in the environment vars.
This applies to strings set via the `--set` variable too.
Some things to note:
* This won't work for configs generated by discovery bundles, it is *only* for
configurations loaded by the runtime.
* This is only done at the time of loading the file. Plugins receive modified
copies of the config (post injection), and should never be allowed to re-read
directly from disk.
* There are security implications of setting secrets in env vars. It is
recommended to use the file based secrets approach with `--set-file`
instead of environment variables.
Signed-off-by: Patrick East <east.patrick@gmail.com>
patrick-east
force-pushed
the
env-config
branch
from
c2378bf
to
4d4b6bd
Compare
|
Squashed and rebased to fix merge conflicts, once the CI passes I'll merge it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are two new CLI options added with this change for the
opa runsub command.
--set--set-fileThese allow for overriding config options on the CLI using
key=valueoptions to reference the YAML/JSON config structures. The
--setvalueexpects to take in the value you want to set while the
--set-filevalue isa path to a file which will be read for the value of the file. This is primarily
useful for secrets mounted as files on a host.
In addition this adds in some simple environment variable injection so that a
deployer can specify environment variables in the config via ${NAME} syntax.
At the time the config is loaded from file it will inject in the environment vars.
This applies to strings set via the
--setvariable too.Some things to note:
configurations loaded by the runtime.
copies of the config (post injection), and should never be allowed to re-read
directly from disk.
recommended to use the file based secrets approach with
--set-fileinstead of environment variables.
Fixes: #924