feat: read sensitive CLI flags from environment variables

[itayvolo]

Summary

Adds envvar= to the Typer options for five sensitive CLI flags so they can be supplied via environment variables instead of command-line args. CLI args still take precedence when both are set, so this is fully backward-compatible.

Flag	New env var
--prometheus-auth-header	PROMETHEUS_AUTH_HEADER
--eks-access-key	EKS_ACCESS_KEY
--eks-secret-key	EKS_SECRET_KEY
--coralogix-token	CORALOGIX_TOKEN
--teams-webhook	TEAMS_WEBHOOK

Help text for each flag is updated to note the env-var alternative. No behavior changes when the env vars are unset.

Motivation

When running KRR as a scheduled Kubernetes job (CronJob, Argo CronWorkflow, etc.), tokens currently have to be passed on the command line — typically via shell expansion of env vars mounted from a Secret. This leaves the token visible to ps inside the container.

With envvar=, the same Secret can be mounted as env vars and KRR's Pydantic BaseSettings picks them up directly. Tokens never appear in argv.

This matches the pattern KRR already uses for SLACK_BOT_TOKEN, which is env-only.

Why these five fields

These are the CLI flags whose values are credentials or signed URLs. Other flags (e.g. --prometheus-url, --slackoutput) are not sensitive and the existing CLI-only behavior is fine for them — though envvar= could be added to those too in a follow-up if useful.

Backward compatibility

• No flag removed, renamed, or repurposed.
• CLI args still override env vars (Typer's default precedence).
• Existing deployments that pass these flags on the CLI continue to work unchanged.

Example

Before:

args:
  - sh
  - -c
  - 'python krr.py simple --coralogix-token "$CORALOGIX_TOKEN" --slackoutput "#infra-cost"'
env:
  - name: CORALOGIX_TOKEN
    valueFrom: { secretKeyRef: { name: krr, key: CORALOGIX_TOKEN } }

After:

args: ["simple", "--slackoutput", "#infra-cost"]
env:
  - name: CORALOGIX_TOKEN
    valueFrom: { secretKeyRef: { name: krr, key: CORALOGIX_TOKEN } }
  - name: SLACK_BOT_TOKEN
    valueFrom: { secretKeyRef: { name: krr, key: SLACK_BOT_TOKEN } }

Happy to add tests or split into multiple commits/PRs if that fits your review preferences — let me know.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 766bbd91-d711-48de-80d3-88e29583c800

📥 Commits

Reviewing files that changed from the base of the PR and between 4465a10 and fa8f13c.

📒 Files selected for processing (1)

• robusta_krr/main.py

---

Walkthrough

This PR extends five CLI strategy command options to accept values via environment variables. The --prometheus-auth-header, --eks-access-key, --eks-secret-key, --coralogix-token, and --teams-webhook flags now map to their corresponding environment variables (PROMETHEUS_AUTH_HEADER, EKS_ACCESS_KEY, EKS_SECRET_KEY, CORALOGIX_TOKEN, TEAMS_WEBHOOK) respectively.

Changes

Environment Variable Configuration

Layer / File(s)	Summary
CLI Environment Variable Mapping robusta_krr/main.py	Prometheus, EKS, Coralogix, and Teams webhook CLI options add envvar parameter to accept values from environment variables in addition to command-line flags.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically summarizes the main change: extending CLI flags to accept values from environment variables.
Description check	✅ Passed	The description is thorough and directly related to the changeset, explaining motivation, implementation details, backward compatibility, and providing concrete examples.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

All committers have signed the CLA.