Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

envsubst: remove explicit subst of exported vars #830

Merged
merged 15 commits into from
Mar 27, 2025
Merged

envsubst: remove explicit subst of exported vars #830

merged 15 commits into from
Mar 27, 2025

Conversation

alxndrsn
Copy link
Contributor

@alxndrsn alxndrsn commented Dec 9, 2024

Approach suggested in #818 (comment)

For nginx config, a new approach is implemented with mawk.

This is similar to envsubst, but more ergonomic:

  • no need to explicitly list all variables
  • throw error on missing variables
  • do not replace nginx vars like $host, $request_uri with empty strings (in contrast to envsubst when executed without an explicit variable list)

Risks:

There are a couple of changes which may break existing deployments:

  • changing client-config.json.template
  • requiring all substituted variable to be defined

Closes #473

What has been done to verify that this works as intended?

Added tests, added tests to CI, run tests.

Why is this the best possible solution? Were any other approaches considered?

Considered perl, bash & sed, as they are other scripting languages present in the images in which we currently use enbsubst. awk or perl seem the most suitable. I am not aware of a reason to use one over the other.

# jonasal/nginx-certbot:5.4.0

* perl: v5.36.0
* awk: mawk 1.3.4 20200120
* node: not found
* bash: GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
* sed: sed (GNU sed) 4.9

# node:20.17.0-slim

* perl: v5.36.0
* awk: mawk 1.3.4 20200120
* node: v20.17.0
* bash: GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
* sed: sed (GNU sed) 4.9

# ghcr.io/enketo/enketo:7.4.0

* perl: v5.36.0
* awk: mawk 1.3.4 20200120
* node: v20.17.0
* bash: GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
* sed: sed (GNU sed) 4.9

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

As mentioned above, there's a risk that throwing when a variable is not defined will break existing deployments. That wouldn't be great.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Maybe? If there is some genuine risk in the previous answer.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

envsubst: remove explicit subst of exported vars
af73093 
For nginx config, a new approach is implemented with mawk.

This is similar to envusbst, but more ergonomic:

* no need to explicitly list all variables
* throw error on missing variables
* do not replace nginx vars like $host, $request_uri with empty strings (in contrast to envsubst when executed without an explicit variable list)

Risks:

There are a couple of changes which may break existing deployments:

* changing client-config.json.template
* requiring all substituted variable to be defined

Closes getodk#473
@alxndrsn alxndrsn requested a review from brontolosone December 9, 2024 08:30
@alxndrsn alxndrsn mentioned this pull request Dec 9, 2024
Closed
2 tasks
brontolosone
brontolosone requested changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@brontolosone brontolosone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Splendid!

@alxndrsn alxndrsn mentioned this pull request Dec 10, 2024
Merged
@alxndrsn

This comment was marked as outdated.

Sign in to view
@matthew-white matthew-white linked an issue Dec 19, 2024 that may be closed by this pull request
There is no need to explicitly list variables in envsubst #473
Open
@lognaturel lognaturel self-requested a review January 9, 2025 16:48
@lognaturel
Copy link
Member

Can we remove the gettext dependency installed in all the images?

alxndrsn added a commit that referenced this pull request Feb 13, 2025
@alxndrsn
nginx/setup-odk.sh: make file executable (#840)
7594c91 
This change brings consistency: all other executables in `files/**` are marked executable in git rather than `chmod`'d in `.dockerfile` files.

The `chmod` call was originally introduced in #676 without discussion.

There is a wider debate whether git can be trusted to manage file permissions, touched on at #830 (comment)
@alxndrsn
Copy link
Contributor Author

Can we remove the gettext dependency installed in all the images?

Good catch - that seems very likely. I've removed gettext installations.

lognaturel
lognaturel approved these changes Feb 19, 2025
View reviewed changes
Copy link
Member

@lognaturel lognaturel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small change inline and one quick confirmation -- this works fine if a user's configuration file omits certain config keys, right (e.g. the OIDC ones)? I imagine a bunch of tests would fail if that weren't the case but want to double check.

@alxndrsn alxndrsn mentioned this pull request Feb 20, 2025
Merged
2 tasks
@alxndrsn
Copy link
Contributor Author

one quick confirmation -- this works fine if a user's configuration file omits certain config keys, right (e.g. the OIDC ones)?

I think this is handled in the production docker-compose.yml file by the environment defaults:

central/docker-compose.yml

Lines 49 to 76 in 279c4cb

environment:
- DOMAIN=${DOMAIN}
- SYSADMIN_EMAIL=${SYSADMIN_EMAIL}
- HTTPS_PORT=${HTTPS_PORT:-443}
- NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-}
- DB_HOST=${DB_HOST:-postgres14}
- DB_USER=${DB_USER:-odk}
- DB_PASSWORD=${DB_PASSWORD:-odk}
- DB_NAME=${DB_NAME:-odk}
- DB_SSL=${DB_SSL:-null}
- EMAIL_FROM=${EMAIL_FROM:-no-reply@$DOMAIN}
- EMAIL_HOST=${EMAIL_HOST:-mail}
- EMAIL_PORT=${EMAIL_PORT:-25}
- EMAIL_SECURE=${EMAIL_SECURE:-false}
- EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
- EMAIL_USER=${EMAIL_USER:-}
- EMAIL_PASSWORD=${EMAIL_PASSWORD:-}
- OIDC_ENABLED=${OIDC_ENABLED:-false}
- OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-}
- OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-}
- OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-}
- SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
- SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
- SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
- S3_SERVER=${S3_SERVER:-}
- S3_ACCESS_KEY=${S3_ACCESS_KEY:-}
- S3_SECRET_KEY=${S3_SECRET_KEY:-}
- S3_BUCKET_NAME=${S3_BUCKET_NAME:-}

If a value is undefined by a user, and omitted from these lists, then substitution would fail.

I've added an extra test case to ensure that substituting empty values is supported.

@alxndrsn alxndrsn requested a review from lognaturel March 19, 2025 10:50
@alxndrsn alxndrsn merged commit 97479d6 into getodk:next Mar 27, 2025
4 checks passed
@alxndrsn alxndrsn deleted the envsbust-awk branch March 27, 2025 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lognaturel lognaturel lognaturel approved these changes

@brontolosone brontolosone brontolosone approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

There is no need to explicitly list variables in envsubst
3 participants
@alxndrsn @lognaturel @brontolosone