search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
13.39k stars 493 forks source link

scriptEnv variables not available outside of chezmoi subshell #3268

Closed arrrgi closed 1 year ago

arrrgi commented 1 year ago

Describe the bug

On a new system with only chezmoi installed, vlt throws an error: 

$ chezmoi apply --verbose
chezmoi: template: dot_config/git/standard.tmpl:4:18: executing "dot_config/git/standard.tmpl" at 
<hcpVaultSecret "sshSigningKeyPersonal">: error calling hcpVaultSecret: 
/opt/homebrew/bin/vlt secrets get --plaintext --app-name chezmoi --project <redacted> --organization <redacted> sshSigningKeyPersonal: 
exit status 1
You are not currently logged in. Please try using the vlt login command to get started

Rather than passing the HCP_CLIENT_ID and HCP_CLIENT_SECRET in the CLI when running apply etc, the values are set as environment variables in the scriptEnv config object.

chezmoi commands such as status, apply and diff appear to ignore the scriptEnv config object. The only way this currently works is by running chezmoi cd to create a subshell which inherits the scriptEnv defined environment variables before running apply etc.

I also experienced a similar issue when running before/after Bash scripts with set -eufo pipefail that relied on the environment variable being set.

To reproduce

Repro code available here: https://github.com/arrrgi/dotfiles/tree/feature/setup-scripts

Expected behavior

apply, execute-template, diff, status and other similar commands should read the scriptEnv config object and make the environment variables available.

Output of command with the --verbose flag

$ chezmoi --verbose $COMMAND

Output of chezmoi doctor

```console $ chezmoi doctor RESULT CHECK MESSAGE ok version v2.40.0, commit 6a8ca1634654734bb33a036ffb9c21e6b9f4d28d, built at 2023-09-19T09:56:08Z, built by goreleaser ok latest-version v2.40.0 ok os-arch darwin/arm64 ok uname Darwin elm-hwd-mni01p 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:52 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T8103 arm64 ok go-version go1.21.1 (gc) ok executable ~/.local/bin/chezmoi ok upgrade-method replace-executable ok config-file ~/.config/chezmoi/chezmoi.yaml, last modified 2023-09-29T22:29:23+10:00 warning source-dir ~/.local/share/chezmoi is a git working tree (dirty) warning suspicious-entries ~/.local/share/chezmoi/scratch/.chezmoiexternal copy.yaml warning working-tree ~/.local/share/chezmoi is a git working tree (dirty) ok dest-dir ~ is a directory ok umask 022 ok cd-command found /opt/homebrew/bin/zsh ok cd-args /opt/homebrew/bin/zsh info diff-command not set ok edit-command found /opt/homebrew/bin/nvim ok edit-args /opt/homebrew/bin/nvim ok git-command found /opt/homebrew/bin/git, version 2.42.0 ok merge-command found /usr/bin/vimdiff ok shell-command found /opt/homebrew/bin/zsh ok shell-args /opt/homebrew/bin/zsh ok age-command found /opt/homebrew/bin/age, version 1.1.1 info gpg-command gpg not found in $PATH info pinentry-command not set ok 1password-command found /opt/homebrew/bin/op, version 2.21.0 info bitwarden-command bw not found in $PATH info bitwarden-secrets-command bws not found in $PATH info dashlane-command dcli not found in $PATH info doppler-command doppler not found in $PATH info gopass-command gopass not found in $PATH info keepassxc-command keepassxc-cli not found in $PATH info keepassxc-db not set info keeper-command keeper not found in $PATH info lastpass-command lpass not found in $PATH info pass-command pass not found in $PATH info passhole-command ph not found in $PATH info rbw-command rbw not found in $PATH info vault-command vault not found in $PATH ok vlt-command found /opt/homebrew/bin/vlt, version 0.2.2 info secret-command not set ```

Additional context

Add any other context about the problem here.

twpayne commented 1 year ago

chezmoi commands such as status, apply and diff appear to ignore the scriptEnv config object. The only way this currently works is by running chezmoi cd to create a subshell which inherits the scriptEnv defined environment variables before running apply etc.

scriptEnv applies to run_ scripts. It does not apply to arbitrary commands invoked by chezmoi. Changing scriptEnv to apply to all commands run by chezmoi will require some thought about the implications and side-effects.

arrrgi commented 1 year ago

Thanks for the consideration.

My intention behind this feature request was to remove the need to install the VLT CLI and perform vlt login before applying a dotfiles config, using the supported non-interactive method as described at: https://developer.hashicorp.com/vault/tutorials/hcp-vault-secrets-get-started/hcp-vault-secrets-install-cli#configure-the-hcp-vault-secrets-cli

In my prototype, I am prompting the user for these values around the same time as asking for other info such as email address, etc. When Chezmoi is updating the target with templated files with secrets, there is no need to script or manually run vlt login as a pre-requisite task if these env vars are available, and keeps these credentials out of the source controlled config

arrrgi commented 1 year ago

Just wanted to add a big thanks for getting this implemented. I know I've capitalized a large amount of your time and effort recently @twpayne and @halostatue - I can't sing enough praise for how you both provide constructive support and work to keep us the demanding consumers happy!

I will factor these changes into my config before the end of this week and let you know if there are any issues. If I'm to understand correctly, env is now the preferred config object and will be what is carried over into v3 in the future.

halostatue commented 1 year ago

I will factor these changes into my config before the end of this week and let you know if there are any issues. If I'm to understand correctly, env is now the preferred config object and will be what is carried over into v3 in the future.

That is correct. We have not yet marked scriptEnv as deprecated.