For this purpose, we introduce a vault cache store to store all the secrets masked using ‘secret’ flag
When a dvar is masked as secret, it is stored in vault and this will not be printed out or exposed
tasks:
- name: task
task:
- func: cmd
dvars:
- name: enc_key
value: my_enc_key
flags:
- secret
- name: value_encrypted
value: '{{ "ENV_AAA" | encryptAES .enc_key }}'
flags:
- vvvv
- taskScope
- name: ENV_AAA
value: '{{.value_encrypted}}'
flags:
- secure
do:
- name: print
cmd: |
var: {{.ENV_AAA}}
decrypted secure var: {{.secure_ENV_AAA}}
- name: inspect
desc: the vars in caller after invoking module task
cmd:
- exec_vars
- exec_base_vars
- exec_base_env_vars_configured
- exec_env_vars_configured
- debug_vars
- func: cmd
dvars:
- name: ENV_BBB
value: '{{.value_encrypted}}'
flags:
- secure
do:
- name: print
cmd: |
var: {{.ENV_BBB}}
decrypted secure var: {{.secure_ENV_BBB}}
loading [Config]: ./tests/functests/upconfig.yml
Main config:
Version -> 1.0.0
RefDir -> ./tests/functests
WorkDir -> cwd
AbsWorkDir -> /up_project/up
TaskFile -> c0201
Verbose -> vvv
ModuleName -> self
ShellType -> /bin/sh
MaxCallLayers -> 8
Timeout -> 3600000
MaxModuelCallLayers -> 256
EntryTask -> task
ModRepoUsernameRef ->
ModRepoPasswordRef ->
work dir: /up_project/up
-exec task: task
loading [Task]: ./tests/functests/c0201
module: [self], instance id: [dev], exec profile: []
profile - envVars:
(*core.Cache)({
})
Task1: [task ==> task: ]
-Step1:
dvar> value_encrypted:
"MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ="
-
MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=
self: final context exec vars:
(*core.Cache)({
"up_runtime_task_layer_number": 0,
"ENV_AAA": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=",
"value_encrypted": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ="
})
~SubStep1: [print: ]
var: MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=
decrypted secure var: ENV_AAA
~SubStep2: [inspect: the vars in caller after invoking module task ]
1: inspect[exec_vars]
(*core.Cache)({
"up_runtime_task_layer_number": 0,
"ENV_AAA": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=",
"secure_ENV_AAA": "ENV_AAA",
"value_encrypted": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ="
})
2: inspect[exec_base_vars]
{
}
3: inspect[exec_base_env_vars_configured]
4: inspect[exec_env_vars_configured]
5: inspect[debug_vars]
-debug vars-
"UpRunTimeVars"
(*core.Cache)({
"up_runtime_task_layer_number": 0
})
"RuntimeVarsAndDvarsMerged"
(*core.Cache)({
})
"ExecbaseVars"
(*core.Cache)({
})
"TaskVars"
(*core.Cache)({
"value_encrypted": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ="
})
"ExecContextVars"
(*core.Cache)({
"value_encrypted": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=",
"up_runtime_task_layer_number": 0,
"ENV_AAA": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=",
"secure_ENV_AAA": "ENV_AAA"
})
--
-Step2:
self: final context exec vars:
(*core.Cache)({
"up_runtime_task_layer_number": 0,
"value_encrypted": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=",
"ENV_BBB": "MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ="
})
~SubStep1: [print: ]
var: MahyRmE8wwWJeGbPPmytZu9THxE/vg1WTZJXM5oWHxQ=
decrypted secure var: ENV_AAA