feat(cli): add --secret-material-env to provider refresh configure#2178
feat(cli): add --secret-material-env to provider refresh configure#2178hunglp6d wants to merge 2 commits into
Conversation
|
All contributors have signed the DCO ✍️ ✅ |
|
I have read the DCO document and I hereby sign the DCO. |
Signed-off-by: Hung Le <hple@nvidia.com>
|
Label |
PR Review StatusValidation: This PR is project-valid because it implements a focused CLI-side improvement for the provider refresh secret-material workflow described in #2104. I checked @johntmyers's maintainer feedback on #2104 about duplicate-key rejection and off-argv secret handling, and @hunglp6d's PR implements the env-based path with duplicate rejection while leaving the file/stdin path for follow-up work. Review findings:
Docs: Updated in E2E: I applied Next state: |
Summary
Adds
--secret-material-env KEY[=ENVVAR]toprovider refresh configureso secretrefresh material (service-account private keys, OAuth client secrets) can be supplied
off-argv. Today
--material KEY=VALUEis the only ingestion path, which exposes thevalue in the host process table (
/proc/<pid>/cmdline,ps) and to command-line audittooling. The new flag resolves the value from the CLI's own environment — mirroring the
existing
--credential KEYingestion — merges it into the material map, and auto-addsthe key to
secret_material_keys. Duplicate keys are rejected rather than givenprecedence: the same
KEYsupplied via both--materialand the new flag, or repeatedwithin the flag, is an error. Missing or blank env fails closed naming the variable,
before any request is sent. Client-side only: the gRPC request, server, and refresh
strategies are unchanged.
Related Issue
Refs #2104 (implements the env-styled complementary option;
--secret-material-file/--material-stdinfrom the proposal remain open).Changes
openshell-cli/src/main.rs: new--secret-material-env KEY[=ENVVAR]flag onprovider refresh configure; CLI parse test extended.openshell-cli/src/run.rs:parse_secret_material_env_pairs(error style mirrors the--credentialenv ingestion; never echoes values) and the merge inprovider_refresh_config; 5 unit tests.openshell-cli/tests/provider_commands_integration.rs: the mock now recordsmaterial/secret_material_keys; new end-to-end tests (env value reaches the requestauto-marked secret; a
--materialduplicate is rejected client-side before anyrequest) and a fails-closed test (unset env → error names the variable, no request
leaves the client).
docs/sandboxes/manage-providers.mdx: the Credential Refresh example no longerexpands a secret onto argv; documents the new flag.
Testing
mise run pre-commitpasses — the full alias (workspace-wide lint+check+test)does not fit on my dev box; ran every lane the diff touches manually:
cargo test -p openshell-cli(351 passed, 0 failed),cargo fmt -p openshell-cli -- --check(clean),cargo clippy -p openshell-cli --all-targets(no warnings),markdownlint-cli2over the repo docs globs (101 files, 0 errors).Deferring the untouched python/helm lanes to CI.
Also manually verified against a stock v0.0.78 gateway (release deb install; this
branch's CLI
0.0.79-devtalking to an unmodified released server):argv exposure: old path reproduces it, new flag closes it
fails closed when the env var is unset
value round-trips intact to the mint path; status never echoes material
(the fake env-delivered value reached the server and was parsed at mint time — the
transport carried it verbatim; no surface echoes the material itself)
Checklist