cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon rancher

Add External Config Helper Support for Enhanced Credential Management

Open gregod-com opened this issue 8 months ago • 0 comments

Summary

This PR implements external config helper functionality for the Rancher CLI, enabling integration with external credential management systems, password managers, and CI/CD pipelines.

Motivation

Users and organizations often need to integrate the Rancher CLI with their existing credential management infrastructure rather than storing sensitive credentials in local files. This feature addresses that need by providing a pluggable config helper system, similar to Hashicorp Vault credential helper or AWS CLI credential helper.

What's Changed

Core Features

  • New CLI Flag: --config-helper with RANCHER_CONFIG_HELPER environment variable support
  • Helper Protocol: Simple get/store command interface with JSON config exchange
  • Backward Compatibility: Default "built-in" helper maintains existing file-based behavior
  • Documentation: Complete README section with examples and integration patterns

Implementation Details

  • Config Loading: config.LoadWithHelper() function for external helper support
  • Config Writing: Helper-aware Config.Write() method with automatic helper detection
  • CLI Integration: Modified loadConfig() in cmd/common.go to respect helper settings

Use Cases Enabled

  • Corporate credential management systems
  • Cloud provider secret stores (AWS Secrets Manager, Azure Key Vault, etc.)
  • CI/CD pipeline secret injection
  • Multi-environment configuration management
  • Password manager integration

Testing

Comprehensive Test Coverage

  • Unit Tests: All config helper functions with edge cases
  • Integration Tests: End-to-end helper protocol verification
  • Error Scenarios: Missing helpers, invalid JSON, command failures
  • Protocol Tests: Verify correct command/data exchange

Test Results

All tests pass including:

  • TestLoadWithHelper - External helper loading scenarios
  • TestConfigWrite - Config persistence with helpers
  • TestHelperProtocol - Command protocol verification
  • TestConfigHelperIntegration - End-to-end integration tests

Breaking Changes

None. This is a fully backward-compatible addition.

Usage Examples

Basic Usage

# Use external helper
rancher --config-helper /path/to/my-helper login

# Use environment variable
export RANCHER_CONFIG_HELPER=/path/to/my-helper
rancher login

# Explicit built-in (default behavior)
rancher --config-helper built-in login
# which is the same as:
rancher login

Example Helper Script

#!/bin/bash
case "$1" in
  get)
    # Load config from your external system
    gopass show -o -y rancher-config
    ;;

  store)
    # Store config to your external system
    echo $2 | gopass insert -f rancher-config
    ;;
  *)
    echo "Usage: $0 {get|store}"
    exit 1
    ;;
esac

Files Changed

  • main.go: Added --config-helper CLI flag
  • cmd/common.go: Modified loadConfig() for helper support
  • config/config.go: Added helper loading/writing functionality
  • config/config_test.go: Comprehensive test suite
  • cmd/common_test.go: Integration tests
  • README.md: Complete documentation with examples

Documentation

The README now includes a dedicated "External Config Helper Support" section with:

  • Usage instructions and examples
  • Helper creation guide with sample script
  • Integration patterns and use cases
  • Complete API reference

Type: Feature Breaking Changes: None Documentation: Updated README with comprehensive guide Testing: Full test coverage with integration tests

gregod-com avatar May 29 '25 16:05 gregod-com