Add sprig function library for templating#1542
Merged
alemorcuq merged 1 commit intobitnami-labs:mainfrom Jun 10, 2024
Merged
Conversation
This fixes bitnami-labs#1534 and bitnami-labs#1193. Signed-off-by: Jeremy Fleischman <[email protected]>
Contributor
Author
|
Oh yikes. Sorry, I am a complete go noob. sprig should definitely not be an indirect dependency. Fixed! |
jfly
commented
Jun 7, 2024
alemorcuq
approved these changes
Jun 10, 2024
Contributor
|
Thanks @jfly ! |
alvneiayu
pushed a commit
that referenced
this pull request
Mar 27, 2025
…nctions (#1703) <!-- Before you open the request please review the following guidelines and tips to help it be more easily integrated: - Describe the scope of your change - i.e. what the change does. - Describe any known limitations with your change. - Please run any tests or examples that can exercise your modified code. Thank you for contributing! We will try to test and integrate the change as soon as we can, but be aware we have many GitHub repositories to manage and can't immediately respond to every request. There is no need to bump or check in on a pull request (it will clutter the discussion of the request). Also don't be worried if the request is closed or not integrated sometimes the priorities of Bitnami might not match the priorities of the pull request. Don't fret, the open source community thrives on forks and GitHub makes it easy to keep your changes in a forked repo. --> **Description of the change** Fixing potential controller environment exposure by removing some sprig template functions: - `env`, `expandenv` - controller environment variables exposure (which can contain sensitive data) - `getHostByName` - add possibility to resolve dns entries from templates, which is not secure in some cases This potential exposure is added by PR #1542 where security risks was described in "possible drawbacks" section. Also, sprig func map is now initialized due module initialization and reusing for rendering, which may improve performance. In fact is just port of the [argocd](https://github.com/argoproj/argo-cd/blob/v2.11.3/applicationset/utils/utils.go#L31-L34) solution, which described in initial PR #1542 **Benefits** - Fix potential controller sensitive data exposure - Improve rendering performance **Possible drawbacks** No one **Applicable issues** <!-- Enter any applicable Issues here (You can reference an issue using #) --> **Additional information** <!-- If there's anything else that's important and relevant to your pull request, mention that information here.--> Signed-off-by: Artur Kraev <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This fixes #1534 and #1193.
Description of the change
Add sprig function library for templating
Benefits
As described in #1534, this lets people safely generate more types of configuration (such as yaml files) and safely and correctly escape passwords.
Possible drawbacks
I have not removed
env,expandenv, andgetHostByName, as argocd does. I supposed there's some security concern here? Happy to filter them out if folks like.Applicable issues
Additional information
Thanks for the consideration!