Add psi install --stdout for container-mode token rotation#24
Merged
Conversation
In container mode, `psi install` writes containers.conf.d/psi.conf to
the container's filesystem, not the host's, so the README's documented
token rotation procedure ("re-run psi install") silently no-ops on the
host. The only workaround was a manual podman cp dance.
Add a --stdout flag that prints the rendered driver conf instead of
writing it. Container deployments pipe it to the host file:
podman exec psi-secrets psi install --stdout \
| sudo tee /etc/containers/containers.conf.d/psi.conf > /dev/null
The new render_driver_conf() helper is side-effect-free — it does not
create state_dir or touch the filesystem, since the caller is
explicitly asking for bytes.
Update the FCOS install section and the token rotation section of the
README to document the container-mode one-liner.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
psi installgains a--stdoutflag that prints the renderedcontainers.conf.d/psi.confto stdout instead of writing it. Container-mode deployments now have a working path for the README's documented token rotation procedure:New
render_driver_conf()helper is side-effect-free — it does not createstate_diror touch the filesystem. The existinginstall_driver_conf()write path is unchanged.README updated in two places: the "Install the shell driver" section now includes the container-mode one-liner, and the "Token rotation" step 3 points at it.
Why
In container mode,
psi installinside the PSI container writes to the container's own/etc/containers/containers.conf.d/, which the host never sees. The documented rotation procedure ("re-runpsi install") silently no-ops on the host. The only workaround was a manualpodman cpdance. A full fix via bind-mounting the host'scontainers.conf.d/into the container is tracked separately (SELinux label risk on FCOS needs hardware testing); this PR unblocks the rotation UX today with zero new privilege and zero SELinux changes.Test plan
pytest tests/test_installer.py— newTestRenderDriverConfclass: no-token, with-token (Authorization: Bearerheader), and a regression test assertingrender_driver_conf()never createsconf_dirorstate_dir.pytest tests/test_install_cli.py— new:psi install --stdoutcallsrender_driver_confand prints the result;psi install(no flag) still callsinstall_driver_conf.ruff check/ruff format --check/ty check— all clean.