Polykey secrets env integration #289
Conversation
|
@brynblack does this not link back to any issues? |
| @@ -101,7 +101,7 @@ | |||
| shellHook = '' | |||
| echo "Entering $(npm pkg get name)" | |||
| set -o allexport | |||
| . ./.env | |||
| . <(pk secrets env Polykey-CLI:.) | |||
There was a problem hiding this comment.
This should just be Polykey-CLI, no need for :..
Also again, this assumes we have a vault called Polykey-CLI, let's also make this command fail-safe, so that even if the vault doesn't exist, it can continue.
The usual way to do this is with || true when the command returns a non-zero exit code.
Also note that set -o allexport ensures that all variables declared afterwards is exported.
If the pk secrets env command produces exported variables, that isn't necessary anymore. This is why I wanted to ensure that sourcing doesn't do that by default.
The final thing is the lack of a vault schema making this very implicit, we are essentially injecting arbitrary global variables - whereas what we want is a schema defining what we expect to be in the vault. We have an issue for this too.
Also pk is an alias, the official program command should be polykey.
Another thing is that this assumes polykey exists in the development shell o r available in the CLI. I usually ensure that the program exists by adding it to nativeBuildInputs.
Would this be a problem for user-space Polykey?
Remember we have:
- System deployed Polykey - system configuration service
- User deployed Polykey - home manager service
- Project deployed Polykey?
A command running by itself without an agent - I wonder how that should work?
There was a problem hiding this comment.
@tegefaulkes @aryanjassal I want to ensure that our secrets env is foolproof when we have this running...
And by bootstrapping PK from PK... need to examine all the potential problems.
There was a problem hiding this comment.
I'll create a new issue for discussing the spec of the secrets env command changes. There are things that need to be hashed out.
There was a problem hiding this comment.
This should just be
Polykey-CLI, no need for:..
This is being tracked in #312
|
Where's the issue? |
brynblack
force-pushed
the
feature-pk-integration
branch
from
cbdc2c4
to
bab5959
Compare
brynblack
force-pushed
the
feature-pk-integration
branch
from
bab5959
to
e685d20
Compare
Description
This PR integrates the
polykey secrets envcommand into the development shell hook, to securely load development secrets into the development environment.Tasks
. ./.envwithpk secrets env ...Final checklist