From fa8f13ce77e815be036635516c4c88fafa0e97d7 Mon Sep 17 00:00:00 2001 From: itayvolo Date: Mon, 11 May 2026 10:30:40 +0300 Subject: [PATCH] feat: read sensitive CLI flags from environment variables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds `envvar=` to the Typer options for five sensitive CLI flags so they can be supplied via environment variables instead of command-line args: - `--prometheus-auth-header` → `PROMETHEUS_AUTH_HEADER` - `--eks-access-key` → `EKS_ACCESS_KEY` - `--eks-secret-key` → `EKS_SECRET_KEY` - `--coralogix-token` → `CORALOGIX_TOKEN` - `--teams-webhook` → `TEAMS_WEBHOOK` CLI args still take precedence when both are set, so this is fully backward-compatible. Motivation: running KRR as a Kubernetes CronJob/CronWorkflow today requires passing tokens on the command line (via shell expansion of env vars), which leaves them visible to `ps` inside the container. With `envvar=` they can be mounted from a Kubernetes Secret as env vars and never appear in argv. This matches the pattern KRR already uses for `SLACK_BOT_TOKEN` (env-only). --- robusta_krr/main.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/robusta_krr/main.py b/robusta_krr/main.py index c9da3009..dd6946dc 100644 --- a/robusta_krr/main.py +++ b/robusta_krr/main.py @@ -118,7 +118,8 @@ def run_strategy( prometheus_auth_header: Optional[str] = typer.Option( None, "--prometheus-auth-header", - help="Prometheus authentication header.", + envvar="PROMETHEUS_AUTH_HEADER", + help="Prometheus authentication header. Can also be supplied via the PROMETHEUS_AUTH_HEADER environment variable.", rich_help_panel="Prometheus Settings", ), prometheus_other_headers: Optional[List[str]] = typer.Option( @@ -162,13 +163,15 @@ def run_strategy( eks_access_key: Optional[str] = typer.Option( None, "--eks-access-key", - help="Sets the access key for eks prometheus connection.", + envvar="EKS_ACCESS_KEY", + help="Sets the access key for eks prometheus connection. Can also be supplied via the EKS_ACCESS_KEY environment variable.", rich_help_panel="Prometheus EKS Settings", ), eks_secret_key: Optional[str] = typer.Option( None, "--eks-secret-key", - help="Sets the secret key for eks prometheus connection.", + envvar="EKS_SECRET_KEY", + help="Sets the secret key for eks prometheus connection. Can also be supplied via the EKS_SECRET_KEY environment variable.", rich_help_panel="Prometheus EKS Settings", ), eks_service_name: Optional[str] = typer.Option( @@ -192,7 +195,8 @@ def run_strategy( coralogix_token: Optional[str] = typer.Option( None, "--coralogix-token", - help="Adds the token needed to query Coralogix managed prometheus.", + envvar="CORALOGIX_TOKEN", + help="Adds the token needed to query Coralogix managed prometheus. Can also be supplied via the CORALOGIX_TOKEN environment variable.", rich_help_panel="Prometheus Coralogix Settings", ), openshift: bool = typer.Option( @@ -311,7 +315,8 @@ def run_strategy( teams_webhook: Optional[str] = typer.Option( None, "--teams-webhook", - help="Microsoft Teams webhook URL to send notifications when files are uploaded to Azure Blob Storage", + envvar="TEAMS_WEBHOOK", + help="Microsoft Teams webhook URL to send notifications when files are uploaded to Azure Blob Storage. Can also be supplied via the TEAMS_WEBHOOK environment variable.", rich_help_panel="Output Settings", ), azure_subscription_id: Optional[str] = typer.Option(