Skip to content

envsubst: remove explicit subst of exported vars#830

Merged
alxndrsn merged 15 commits intogetodk:nextfrom
alxndrsn:envsbust-awk
Mar 27, 2025
Merged

envsubst: remove explicit subst of exported vars#830
alxndrsn merged 15 commits intogetodk:nextfrom
alxndrsn:envsbust-awk

Conversation

@alxndrsn
Copy link
Contributor

@alxndrsn alxndrsn commented Dec 9, 2024

Approach suggested in #818 (comment)

For nginx config, a new approach is implemented with mawk.

This is similar to envsubst, but more ergonomic:

  • no need to explicitly list all variables
  • throw error on missing variables
  • do not replace nginx vars like $host, $request_uri with empty strings (in contrast to envsubst when executed without an explicit variable list)

Risks:

There are a couple of changes which may break existing deployments:

  • changing client-config.json.template
  • requiring all substituted variable to be defined

Closes #473

What has been done to verify that this works as intended?

Added tests, added tests to CI, run tests.

Why is this the best possible solution? Were any other approaches considered?

Considered perl, bash & sed, as they are other scripting languages present in the images in which we currently use enbsubst. awk or perl seem the most suitable. I am not aware of a reason to use one over the other.

# jonasal/nginx-certbot:5.4.0

* perl: v5.36.0
* awk: mawk 1.3.4 20200120
* node: not found
* bash: GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
* sed: sed (GNU sed) 4.9

# node:20.17.0-slim

* perl: v5.36.0
* awk: mawk 1.3.4 20200120
* node: v20.17.0
* bash: GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
* sed: sed (GNU sed) 4.9

# ghcr.io/enketo/enketo:7.4.0

* perl: v5.36.0
* awk: mawk 1.3.4 20200120
* node: v20.17.0
* bash: GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-gnu)
* sed: sed (GNU sed) 4.9

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

As mentioned above, there's a risk that throwing when a variable is not defined will break existing deployments. That wouldn't be great.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Maybe? If there is some genuine risk in the previous answer.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

envsubst: remove explicit subst of exported vars
af73093 
For nginx config, a new approach is implemented with mawk.

This is similar to envusbst, but more ergonomic:

* no need to explicitly list all variables
* throw error on missing variables
* do not replace nginx vars like $host, $request_uri with empty strings (in contrast to envsubst when executed without an explicit variable list)

Risks:

There are a couple of changes which may break existing deployments:

* changing client-config.json.template
* requiring all substituted variable to be defined

Closes getodk#473
@alxndrsn alxndrsn requested a review from brontolosone December 9, 2024 08:30
@alxndrsn alxndrsn mentioned this pull request Dec 9, 2024
Closed
2 tasks
brontolosone
brontolosone requested changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@brontolosone brontolosone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Splendid!

@alxndrsn alxndrsn mentioned this pull request Dec 10, 2024
Merged
@alxndrsn

This comment was marked as outdated.

Sign in to view
@matthew-white matthew-white linked an issue Dec 19, 2024 that may be closed by this pull request
There is no need to explicitly list variables in envsubst #473
Closed
@lognaturel lognaturel self-requested a review January 9, 2025 16:48
@lognaturel
Copy link
Member

lognaturel commented Feb 12, 2025

Can we remove the gettext dependency installed in all the images?

alxndrsn added a commit that referenced this pull request Feb 13, 2025
@alxndrsn
nginx/setup-odk.sh: make file executable (#840)
7594c91 
This change brings consistency: all other executables in `files/**` are marked executable in git rather than `chmod`'d in `.dockerfile` files.

The `chmod` call was originally introduced in #676 without discussion.

There is a wider debate whether git can be trusted to manage file permissions, touched on at #830 (comment)
@alxndrsn
Copy link
Contributor Author

alxndrsn commented Feb 13, 2025

Can we remove the gettext dependency installed in all the images?

Good catch - that seems very likely. I've removed gettext installations.

lognaturel
lognaturel reviewed Feb 19, 2025
View reviewed changes
lognaturel
lognaturel approved these changes Feb 19, 2025
View reviewed changes
Copy link
Member

@lognaturel lognaturel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small change inline and one quick confirmation -- this works fine if a user's configuration file omits certain config keys, right (e.g. the OIDC ones)? I imagine a bunch of tests would fail if that weren't the case but want to double check.

@alxndrsn alxndrsn mentioned this pull request Feb 20, 2025
Merged
2 tasks
@alxndrsn
Copy link
Contributor Author

alxndrsn commented Feb 20, 2025

one quick confirmation -- this works fine if a user's configuration file omits certain config keys, right (e.g. the OIDC ones)?

I think this is handled in the production docker-compose.yml file by the environment defaults:

central/docker-compose.yml

Lines 49 to 76 in 279c4cb

environment:
- DOMAIN=${DOMAIN}
- SYSADMIN_EMAIL=${SYSADMIN_EMAIL}
- HTTPS_PORT=${HTTPS_PORT:-443}
- NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-}
- DB_HOST=${DB_HOST:-postgres14}
- DB_USER=${DB_USER:-odk}
- DB_PASSWORD=${DB_PASSWORD:-odk}
- DB_NAME=${DB_NAME:-odk}
- DB_SSL=${DB_SSL:-null}
- EMAIL_FROM=${EMAIL_FROM:-no-reply@$DOMAIN}
- EMAIL_HOST=${EMAIL_HOST:-mail}
- EMAIL_PORT=${EMAIL_PORT:-25}
- EMAIL_SECURE=${EMAIL_SECURE:-false}
- EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
- EMAIL_USER=${EMAIL_USER:-}
- EMAIL_PASSWORD=${EMAIL_PASSWORD:-}
- OIDC_ENABLED=${OIDC_ENABLED:-false}
- OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-}
- OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-}
- OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-}
- SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
- SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
- SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
- S3_SERVER=${S3_SERVER:-}
- S3_ACCESS_KEY=${S3_ACCESS_KEY:-}
- S3_SECRET_KEY=${S3_SECRET_KEY:-}
- S3_BUCKET_NAME=${S3_BUCKET_NAME:-}

If a value is undefined by a user, and omitted from these lists, then substitution would fail.

I've added an extra test case to ensure that substituting empty values is supported.

@alxndrsn alxndrsn requested a review from lognaturel March 19, 2025 10:50
@alxndrsn alxndrsn merged commit 97479d6 into getodk:next Mar 27, 2025
4 checks passed
@alxndrsn alxndrsn deleted the envsbust-awk branch March 27, 2025 08:09
@matthew-white matthew-white mentioned this pull request Mar 28, 2025
Closed
@tobiasmcnulty
Copy link

tobiasmcnulty commented Jun 5, 2025

Splendid indeed! A belated thank you for this. These changes will make it easier to maintain our fork that allows customizing some of the backend service URLs.

yanokwa pushed a commit to yanokwa/odk-central that referenced this pull request Jun 11, 2025
@alxndrsn @yanokwa
nginx/setup-odk.sh: make file executable (getodk#840)
1fe957f 
This change brings consistency: all other executables in `files/**` are marked executable in git rather than `chmod`'d in `.dockerfile` files.

The `chmod` call was originally introduced in getodk#676 without discussion.

There is a wider debate whether git can be trusted to manage file permissions, touched on at getodk#830 (comment)
yanokwa pushed a commit to yanokwa/odk-central that referenced this pull request Jun 11, 2025
@alxndrsn @yanokwa
envsubst: remove explicit subst of exported vars (getodk#830)
de233ca 
Approach suggested in getodk#818 (comment)

-----

For nginx config, a new approach is implemented with mawk.

This is similar to envsubst, but more ergonomic:

* no need to explicitly list all variables
* throw error on missing variables
* do not replace nginx vars like $host, $request_uri with empty strings (in contrast to envsubst when executed without an explicit variable list)

There are a couple of changes which may break existing deployments:

* changing client-config.json.template
* requiring all substituted variable to be defined

Closes getodk#473
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lognaturel lognaturel lognaturel approved these changes

@brontolosone brontolosone brontolosone approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

There is no need to explicitly list variables in envsubst

4 participants

@alxndrsn @lognaturel @tobiasmcnulty @brontolosone