Allow airshipctl phase render to display encrypted secrets

Relates-to: #453
Change-Id: I150a48cbec5c87943ed6c07a8ef8d562437fda46
This commit is contained in:
Alexey Odinokov 2021-02-16 05:03:56 +00:00
parent f50998935e
commit f2dc2ca3f6
4 changed files with 19 additions and 2 deletions

View File

@ -97,6 +97,12 @@ func addRenderFlags(filterOptions *phase.RenderCommand, cmd *cobra.Command) {
"error will be returned\n"+
"executor: rendering will be performed by executor if the phase\n"+
"config: this will render bundle containing phase and executor documents")
flags.BoolVarP(
&filterOptions.FailOnDecryptionError,
"decrypt",
"d",
false,
"ensure that decryption of encrypted documents has finished successfully")
}
// RenderArgs returns an error if there are not exactly n args.

View File

@ -23,6 +23,7 @@ airshipctl phase render initinfra --source executor
Flags:
-a, --annotation string filter documents by Annotations
-g, --apiversion string filter documents by API version
-d, --decrypt ensure that decryption of encrypted documents has finished successfully
-h, --help help for render
-k, --kind string filter documents by Kinds
-l, --label string filter documents by Labels

View File

@ -35,6 +35,7 @@ airshipctl phase render initinfra --source executor
```
-a, --annotation string filter documents by Annotations
-g, --apiversion string filter documents by API version
-d, --decrypt ensure that decryption of encrypted documents has finished successfully
-h, --help help for render
-k, --kind string filter documents by Kinds
-l, --label string filter documents by Labels

View File

@ -16,6 +16,7 @@ package phase
import (
"io"
"os"
"strings"
"opendev.org/airship/airshipctl/pkg/config"
@ -49,8 +50,11 @@ type RenderCommand struct {
// phase the source will use kustomize root at phase entry point
// config will render a bundle that comes from site metadata file, and contains phase and executor docs
// executor means that rendering will be delegated to phase executor
Source string
PhaseID ifc.ID
Source string
// FailOnDecryptionError makes sure that encrypted documents are getting decrypted by avoiding setting
// env variable TOLERATE_DECRYPTION_FAILURES=true
FailOnDecryptionError bool
PhaseID ifc.ID
}
// RunE prints out filtered documents
@ -58,6 +62,11 @@ func (fo *RenderCommand) RunE(cfgFactory config.Factory, out io.Writer) error {
if err := fo.Validate(); err != nil {
return err
}
if !fo.FailOnDecryptionError {
os.Setenv("TOLERATE_DECRYPTION_FAILURES", "true")
}
cfg, err := cfgFactory()
if err != nil {
return err