Skip to content

Commit

Permalink
Merge pull request #427 from DopplerHQ/preserve-env
Browse files Browse the repository at this point in the history 
Fix forwarding of env vars when using --preserve-env
  • Loading branch information
@Piccirello
Piccirello authored Sep 6, 2023
2 parents ed0b67d + 0aa905b commit 3450210
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 3 deletions.
2 changes: 1 addition & 1 deletion pkg/cmd/run.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,7 +568,7 @@ func init() {
runCmd.RegisterFlagCompletionFunc("config", configNamesValidArgs)
runCmd.Flags().String("command", "", "command to execute (e.g. \"echo hi\")")
// note: requires using "--preserve-env=VALUE", doesn't work with "--preserve-env VALUE"
runCmd.Flags().String("preserve-env", "false", "a comma separated list of secrets for which the existing value from the environment, if any, should take precedence of the Doppler secret value. value must be specified with an equals sign (e.g. --preserve-env=\"FOO,BAR\"). specify \"true\" to give precedence to all existing environment values, however this has potential security implications and should be used at your own risk.")
runCmd.Flags().String("preserve-env", "false", "a comma separated list of secrets for which the existing value from the environment, if any, should take precedence over the Doppler secret value. value must be specified with an equals sign (e.g. --preserve-env=\"FOO,BAR\"). specify \"true\" to give precedence to all existing environment values, however this has potential security implications and should be used at your own risk.")
// we must specify a default when no value is passed as this flag used to be a boolean
// https://github.com/spf13/pflag#setting-no-option-default-values-for-flags
runCmd.Flags().Lookup("preserve-env").NoOptDefVal = "true"
Expand Down
6 changes: 4 additions & 2 deletions pkg/controllers/secrets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -398,11 +398,13 @@ func PrepareSecrets(dopplerSecrets map[string]string, originalEnv []string, pres
}
// then use existing env vars
for name, value := range existingEnvKeys {
if preserveEnv != "true" && !utils.Contains(secretsToPreserve, name) {
_, isDopplerSecret := secrets[name]
preserveEnvVar := preserveEnv == "true" || utils.Contains(secretsToPreserve, name)
if isDopplerSecret && !preserveEnvVar {
continue
}

if _, found := secrets[name]; found {
if isDopplerSecret {
utils.LogDebug(fmt.Sprintf("Ignoring Doppler secret %s", name))
}
secrets[name] = value
Expand Down
12 changes: 12 additions & 0 deletions tests/e2e/run.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,4 +140,16 @@ beforeEach
value="$(TEST="foo" "$DOPPLER_BINARY" run --preserve-env="INVALID" -- printenv TEST)"
[[ "$value" == "abc" ]] || error "ERROR: existing env var not ignored when preserve-env flag passed list of nonexistent secret names"

beforeEach

# verify preserve-env flag preserves env vars that aren't Doppler secrets
value="$(NOT_DOPPLER_SECRET="foo" "$DOPPLER_BINARY" run --preserve-env="TEST" -- printenv NOT_DOPPLER_SECRET || true)"
[[ "$value" == "foo" ]] || error "ERROR: existing env var not preserved when preserve-env flag passed unrelated secret name"

beforeEach

# verify preserve-env flag preserves env vars that aren't Doppler secrets when passing false
value="$(NOT_DOPPLER_SECRET="foo" "$DOPPLER_BINARY" run --preserve-env=false -- printenv NOT_DOPPLER_SECRET || true)"
[[ "$value" == "foo" ]] || error "ERROR: existing env var not preserved when preserve-env flag passed false"

afterAll

0 comments on commit 3450210

Please sign in to comment.