Skip to content

ddev: add trusted _fetch_command secret resolution to config fields#23050

Draft
nubtron wants to merge 6 commits intomasterfrom
ddev-secret-feature-docs
Draft

ddev: add trusted _fetch_command secret resolution to config fields#23050
nubtron wants to merge 6 commits intomasterfrom
ddev-secret-feature-docs

Conversation

@nubtron
Copy link
Copy Markdown
Contributor

@nubtron nubtron commented Mar 25, 2026

Summary

  • Adds *_fetch_command config fields for all secret-bearing ddev config keys (github, pypi, trello, orgs.<name>, dynamicd), resolved lazily via shell command execution
  • Adds trust-gating for _fetch_command fields in local .ddev.toml overrides via ddev config allow / ddev config deny commands
  • Integrates DynamicD key lookup through model-backed resolvers
  • Scrubs secret values (including command-backed fields) from ddev config show output
  • Adds public docs for the feature

Test plan

  • Unit tests for command_resolver.py, override_trust.py, scrubber.py, config model changes
  • Tests for config allow / config deny CLI commands
  • Tests for config show redaction behavior
  • Tests for lazy resolution (command not called until value is needed)

@nubtron
Add trusted _fetch_command secret resolution to config fields and D…
1b61381 
…ynamicD.

This introduces trust-gated local override handling, actionable command-resolution errors, and centralized scrubbing so secret values and fetch-command fields are resolved safely and redacted consistently.
@nubtron
Integrate DynamicD secret resolution into the config model and keep c…
9f4d4e9 
…ommand-secret loading lazy.

This routes DynamicD key lookup through model-backed resolvers and aligns newly added files with 2026-present Datadog license headers.
@nubtron
Make command-secret parsing lazy and tighten trello secret scrubbing.
27a517d 
This keeps parse_fields focused on type validation for fetch-command fields, while preserving on-demand resolution and extending hidden/scrubbed handling to trello.key.
@nubtron
Document ddev secret command and trust behavior.
82ded04 
Add public ddev docs for *_fetch_command secret fields, trust-gated .ddev.toml overrides, and config allow/deny usage, including troubleshooting and redaction guidance.
@nubtron nubtron self-assigned this Mar 25, 2026
@datadog-datadog-prod-us1

This comment has been minimized.

Sign in to view
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 25, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 95.08368% with 47 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.30%. Comparing base (a426069) to head (4eba91e).
⚠️ Report is 214 commits behind head on master.

Additional details and impacted files
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nubtron
ddev: fix Windows-incompatible shell commands in tests
4eba91e 
Replace `echo ""` (prints literal `""` on Windows) and `/dev/null`
redirection with `sys.executable`-based Python one-liners that produce
the same behaviour on all platforms.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@nubtron nubtron

Labels

ddev documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nubtron