-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CLI config overrides and ENV injection #1323
Merged
patrick-east
merged 2 commits into
open-policy-agent:master
from
patrick-east:env-config
Apr 10, 2019
Merged
Add CLI config overrides and ENV injection #1323
patrick-east
merged 2 commits into
open-policy-agent:master
from
patrick-east:env-config
Apr 10, 2019
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tsandall
reviewed
Apr 9, 2019
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Just a couple minor comments.
@patrick-east LGTM. Go ahead and squash your changes and then merge. |
patrick-east
force-pushed
the
env-config
branch
from
April 10, 2019 17:06
cb81697
to
c2378bf
Compare
We will use it (or a modified version) to allow for setting config easier on the CLI. Signed-off-by: Patrick East <east.patrick@gmail.com>
There are two new CLI options added with this change for the `opa run` sub command. `--set` `--set-file` These allow for overriding config options on the CLI using `key=value` options to reference the YAML/JSON config structures. The `--set` value expects to take in the value you want to set while the `--set-file` value is a path to a file which will be read for the value of the file. This is primarily useful for secrets mounted as files on a host. In addition this adds in some simple environment variable injection so that a deployer can specify environment variables in the config via ${NAME} syntax. At the time the config is loaded from file it will inject in the environment vars. This applies to strings set via the `--set` variable too. Some things to note: * This won't work for configs generated by discovery bundles, it is *only* for configurations loaded by the runtime. * This is only done at the time of loading the file. Plugins receive modified copies of the config (post injection), and should never be allowed to re-read directly from disk. * There are security implications of setting secrets in env vars. It is recommended to use the file based secrets approach with `--set-file` instead of environment variables. Signed-off-by: Patrick East <east.patrick@gmail.com>
patrick-east
force-pushed
the
env-config
branch
from
April 10, 2019 17:09
c2378bf
to
4d4b6bd
Compare
Squashed and rebased to fix merge conflicts, once the CI passes I'll merge it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are two new CLI options added with this change for the
opa run
sub command.
--set
--set-file
These allow for overriding config options on the CLI using
key=value
options to reference the YAML/JSON config structures. The
--set
valueexpects to take in the value you want to set while the
--set-file
value isa path to a file which will be read for the value of the file. This is primarily
useful for secrets mounted as files on a host.
In addition this adds in some simple environment variable injection so that a
deployer can specify environment variables in the config via ${NAME} syntax.
At the time the config is loaded from file it will inject in the environment vars.
This applies to strings set via the
--set
variable too.Some things to note:
configurations loaded by the runtime.
copies of the config (post injection), and should never be allowed to re-read
directly from disk.
recommended to use the file based secrets approach with
--set-file
instead of environment variables.
Fixes: #924