Correct Handling of Secret Variables in Nested Templates
long-term
E
Evergreen Iguana
Summary:
We have identified an issue with the handling of secret variables in nested templates within Harness. Specifically, when a step template that accepts an input variable of type "secret" is used within a stage template, the secret value is not passed correctly.
Current Behavior:
A step template accepts an input variable of type "secret".
When this step template is used directly in a stage and a Harness secret is selected as the input value, the secret value is correctly retrieved and used within the step template.
However, when the step template is used within a stage template, and an input variable of type "secret" is defined for the stage template, the step template receives the string secrets.getValue('*******') instead of the actual secret value when populated with <+stage.variables.secretInput>.
Enhanced Behavior:
Correct Secret Handling in Nested Templates: Ensure that when a step template within a stage template receives an input variable of type "secret", the actual secret value is correctly passed and not the string secrets.getValue('*******').
Log In
Rohan Gupta
marked this post as
long-term
Rohan Gupta
marked this post as
pending feedback
Rohan Gupta
But ultimately it translates to that expression though, and subsequently we get the string text of the secret. How else would this be handled?
C
Coral reef Lungfish
Rohan Gupta "But ultimately it translates to that expression though" - this is incorrect. The step template receives as the value of the secret input variable, the STRING "secrets.getValue('***
')". The expected behavior would be for the step template variable to be populated with the RESULT of the expression secrets.getValue('
***'), not the expression itself. I.E. the step template should receive the string value of the secret. It isn't. It's receiving a string containing an expression.If you can, take a look at this pipeline execution and compare the output from the two stages. One stage calls the step template directly, the other uses a stage template to call the same step template. The step template accepts a secret input variable. The stage which calls the step template directly, passing a fixed input secret works as expected.
The stage which uses a stage template to call the step template, passing a stage input secret variable to the step secret variable clearly shows the unexpected results. https://app.harness.io/ng/account/_FIOupnPRta-qHD7erAz7g/module/cd/orgs/regionsappdev/projects/ALMv35/pipelines/cb_cascading_secrets/executions/gAeRd47IQPKLByxpJ_8zcQ/pipeline?stage=tyey2TKnT2K7xeAZsUDsDg