[ENH] Digital Ocean exposes deploy token when validator error occours

[viniciusdc]

When not all required vars are present in the user environment, a validation error occurs, notifying the user of the missing variables. However, when doing so, it also exposes the values of any already passed var to the user without masking.

Below is an example of such an error message, where a manually masked token, which was in this case fully exposed:

ValidationError: 1 validation error for ConfigSchema
digital_ocean
  Value error, Missing the following required environment variables: {'SPACES_ACCESS_KEY_ID': None, 'DIGITALOCEAN_TOKEN': 
'dop_v1_*****', 'SPACES_SECRET_ACCESS_KEY': None}

            Please see the documentation for more information: https://www.nebari.dev/docs/how-tos/nebari-do [type=value_error, input_value={'kubernetes_version': '1...s': 1, 'max_nodes': 
5}}}, input_type=CommentedMap]
    For further information visit https://errors.pydantic.dev/2.4/v/value_error

[viniciusdc]

To fix this issue, look for the validation function and replace the required_variables to missing_variables in here

https://github.com/nebari-dev/nebari/blob/9baab7e29e2ec9b172ef439ddc66a5e51a380066/src/_nebari/utils.py#L352-L355

[arjxn-py]

Greetings @viniciusdc, I'd like to try working on this one if alright & maybe get back with some progress in case I need more input. For now may I have some context to reproduce the above ValidationError Edit: Just noticed that it's related to #2530

[viniciusdc]

Hi @arjxn-py definetly, to reproduce you will need to follow the deploy on DO docs to some extent, https://www.nebari.dev/docs/how-tos/nebari-do

The exact version I used was nebari==2024.5.1 but it should show up in the latest one as well.

You don't need to deploy it, in my case I provided a config (as you noticed from the related issue) and just ran nebari render -c nebari-config.yaml to trigger some of the validations, but you might encounter it even quicker when running the nebari init do command.

To trigger the exception, just include one of the environment variables that are required:

export DIGITALOCEAN_TOKEN=""          # API token required to generate resources
export SPACES_ACCESS_KEY_ID=""        # public access key for access spaces
export SPACES_SECRET_ACCESS_KEY=""    # the private key for access spaces

in my case, I had the DIGITALOCEAN_TOKEN already populated, so that showed to me when the error was raised. But you might see the same message show up, by not including any at all as well

[viniciusdc]

This issue proabably has two things to address:

• Repalce the required_variables as suggested;
• And possible add some kind of masking to the values, if they show up after replacing (but I think the missing_variables only use the key name, not the value)

[viniciusdc]

feel free to open a PR, even if its a draft :smiley:

[arjxn-py]

Thanks a lot @viniciusdc, your comments helped a lot. Sorry that it took me more time than expected as I was in a bit of a dilemma that i'd need Digital Ocean credits to test this out & was trying to manage that. But I was wrong 😅

[viniciusdc]

No worries, I am glad all worked in the end :100: . I also should've mentioned that as well next time feel free to ask, as this will help us update the docs later on as well :rocket:

[arjxn-py]

feel free to ask, as this will help us update the docs later on as well 🚀

Sounds good, i'd be more than happy to assist with those improvements too :)

[Adam-D-Lewis]

We are planning on deprecating Digital Ocean support due to low usage. It could still be deployed on Digital Ocean via an existing cluster deployment. @arjxn-py Please comment on the issue if you think we should keep it - https://github.com/nebari-dev/nebari/issues/2542

[arjxn-py]

I think we can also safely close this one too since this is no longer required, @viniciusdc.