Allow setting inventory values based on custom commands

kapicorp / kapitan

Generic templated configuration management for Kubernetes, Terraform and other things

https://kapitan.dev

Apache License 2.0

1.83k stars 199 forks source link

Allow setting inventory values based on custom commands #197

Closed uberspot closed 5 years ago

uberspot commented 5 years ago

Possible example, but the format of the inventory is flexible, you can use whatever is better.

parameters:
  name: "something"
  service_account:  ?{exec: "gcloud iam service-accounts create [SA-NAME] --display-name "[SA-DISPLAY-NAME]" }

And the output would be saved/cached somewhere.

ramaro commented 5 years ago

I think this needs a bit more discussion on the user experience. Does it make sense to use/abuse the secrets system for such feature? Is an exec type really necessary? Should it be a function instead?

ramaro commented 5 years ago

I also think the best solution is actually to allow the user to define custom functions for their templates

harsh-98 commented 5 years ago

@uberspot . Exec feature can also be abused. Like running some malicious command. Though we can put some checks that only specific commands are allowed like in eval_func . https://github.com/deepmind/kapitan/blob/master/kapitan/refs/functions.py#L30

uberspot commented 5 years ago

Those malicious commands will have to be coming from the developers themselves I assume. We could start with a list of allowed commands but sanitizing these seems like extra effort to restrict the developers themselves. Kapitan isn't meant to handle external/unsanitised user input anyway. It's a templating tool.

ramaro commented 5 years ago

Let's close this and work on allowing custom functions instead?

uberspot commented 5 years ago

:+1: closing