Better way to include a single line secret/password from external file into yaml bundle, while stripping trailing newline
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical Juju |
Confirmed
|
Wishlist
|
Unassigned | ||
Bug Description
Some deployments want to keep secret files and passwords in a separate file that is stored outside of the git repository/main bundle definitions the rest of the bundle is in. An example:
cinder-oceanstor:
charm: cs:~fe-
options:
username: include-
The problem we had in this case, is that the single-line username 'canonical' in the file has a trailing newline which is then faithfully reproduced in the charm settings and caused an authentication failure (in part because in this case, the value ended up base64 encoded in the final config storage, and so was able to preserve the newline in ways that many other cases may not have).
This seems like a not-unlikely trap for people to hit in a recurring way. There are many solutions to this exact situation, e.g. create a file with no trailing newline (but someone creating new credentials is likely to not remember to do that, and someone editing the file to change the secret is also likely to have their editor replace the newline). Similarly expecting all charms to always strip such inputs also seems likely to just result in recurring problems.
Hence I want to consider if there is a systematically better way to handle this that is obvious and right in most cases, to use for this specific pattern.
We equally have to consider cases where the newline is wanted. Though I think more rare for the single-line case, it's not unlikely to want a trailing new-line for multi-line data. Special casing the 'include-file://' handler to only strip a newline if there is a single-line in the file seems like a bad idea as much as it might often do the right thing.
Some thoughts on better ways to do this:
- Instead of using include-file here, just put the secrets in a bundle overlay. This can sometimes however be high-maintenance in that you have to produce a full bundle format with all the hierachies including applications/charm application name/options. And a change to the charm application name could unintentionally un-link the configuration.
- An easy way to include all options from a YAML formatted file, e.g. an "options-include:" without having to have it fully replicate the bundle format. e.g. accept a file with the simple YAML format "username: x\npassword: y\n" to merge with the "options" section. As it's clunky to maintain many different secrets files and to then also have to correctly duplicate the charm application name (as for example, if the charm name was changed, the included file would no longer apply and that may not be obvious)
I would appreciate input on either a Canonical way to do this better with the current tools or future improvement for the same.
| Nobuto Murata (nobuto) wrote | #1 |
| Harry Pidcock (hpidcock) wrote | #2 |
| John A Meinel (jameinel) wrote Re: [Bug 1939368] Re: Better way to include a single line secret/password from external file into yaml bundle, while stripping trailing newline | #3 |
| Changed in juju: | |
| importance: | Undecided → Wishlist |
| status: | New → Incomplete |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in juju: | |
| status: | Incomplete → Expired |
| Changed in juju: | |
| status: | Expired → Confirmed |
Some other real-world examples:
- https:/
- https:/
- https:/