Increase --raw readability

[MatthiasKunnen]

Which component:
kubeseal v0.17.5

Is your feature request related to a problem? Please describe.
The output of --raw when reading from stdin can be confusing in the terminal since the resulting sealed secret is not separated from the input.

Use case explained: to prevent credentials from being stored in .bash_history, I use kubeseal as follows:

me@machine:~$ kubeseal --raw --from-file=/dev/stdin --name api-secret
secret[CTRL+D][CTRLD+D]

this results in

bash

me@machine:~$ kubeseal --raw --from-file=/dev/stdin --name api-secret
secretAgChx0O7SeSnISjeaF8G+/.../ajUGQ=me@machine:~$

zsh

me@machine:~$ kubeseal --raw --from-file=/dev/stdin --name api-secret
secretAgChx0O7SeSnISjeaF8G+/.../ajUGQ=%
me@machine:~$

Now you'll have to be very careful not to accidentally copy the secret before the actual encrypted content and the prompt/percent sign that follows.

Describe the solution you'd like
Either detect tty or add a --human/--formatted/--pretty that adds padding to the commands output.

Suggested output:

me@machine:~$ kubeseal --raw --from-file=/dev/stdin --name api-secret
Enter the secret and end with CTRL+D twice:
top-secret-value-here <-- this gets entered by the user followed by double CTRL+D

Secret:
AgBDtACVq1KlnbTXvEiCXtY+eE8QvuoexnWlPOOXlG+B9mPqPNX+H2qYSskvHdJoB0d6LpfbXDMGGy0p/PnrBdLMkp8UmukCe7rjmPdOvgx2v8b4JgtJvxW39rGVvVoqkDF1mm0BocVrM7L27R5Hbmw/8GQzXoeTrd4V+euoQdFPb/yP5hOCuLI1D69tC+7kNF+TwRSQQ2Pl/niYk5X7CueohF5klrMqtmeK3ZSivaU25ais22ggKSVW3OBjcS3lHnkceFcDwMPJruhfFggySOA9bskZpVFB6SOscMpU0ZkEifRHh6v8NOvGqmNrOni86SxNCVWYZTo6+7Qti1Db4O/sQ2G2fQZKM4VdFce+4LrF/Z6OlfnvYlztiOtutmRVtQy5Hi8NEX5g81UDusouYqtU9ZPnVMTOexzHcglXBW6rBvZfJt1Vg3YXTzqe1DFR6vML9vhTZcXsmasT2RXi3H1z7yCB2nLMEETRJkTBwEsX7V74Khq+PBbk514N7+Fxv+KCHHirnSxyHeZsMfBN9WvoUTMXjVVM8k7EW9h7KnSyreCMj/Cl8wUq9bH8ORo+gK+Tg5ayB6eMhqNYcHoBsIbMGB53ESUqBkh00HuTWESuoWecPxONQ6FXM6NDN/I+6zraeGkaBj++4zy1nNaHXskO5MEPYcUEi4VmgxiBAd3fNgjRQYenv2EpLiepx/t3Nno7XKc=
me@machine:~$ kubeseal --raw --from-file=/dev/stdin --name api-secret

Describe alternatives you've considered
I have made a small bash script that accomplishes this:

#!/usr/bin/env bash

echo "Enter the secret and end with CTRL+D twice:"
STDIN=$(cat)

echo -e "\n\nSecret:"
echo -n "$STDIN" | kubeseal --raw --from-file=/dev/stdin "$@"
echo ""

It can be used like this ./seal.sh --name api-secrets

[alvneiayu]

hi @MatthiasKunnen

First of all, thanks a lot for opening an issue for this request. We have two different options to solve this problem:

1. Include the '\n' printing the output in the --raw flag. This is going to generate a really big impact for the users. If they have scripts using the flag, we are going to change the behavior.
2. Include a new flag for padding the output (as you suggested). We are trying to control the flags that we are including in our commands. As you can see, we have a lot of options already included and we need to be carefully to include new ones. We can not overload the commands with a lot of flags, this will reduce the usability.

As you said, with one bash script you can control and fix the problem. So, I think that the impact of this request will be really high and you can avoid it using a bash script as you shared.

Again thanks a lot for sharing your script to solve the problem. It will be really helpful for the community. Unfortunately, we think that this request will generate more impact than benefits.

Álvaro

[MatthiasKunnen]

Hi @alvneiayu, thank you for your response!

Regarding 2, I understand your hesitance to adding more flags though it has to be weighed against users having to maintain their own scripts to process kubeseal output.

If they have scripts using the flag, we are going to change the behavior.

There is actually a way to prevent behavior change for users that use --raw from scripts/pipes AND pad the result when human readability is preferred.

The script below only pads the output when a terminal is attached.

#!/usr/bin/env bash

if [ -t 1 ]; then
    echo -n "Output: "
fi

echo "content"

Examples:

This behavior is consistent with ansible-vault. If a terminal is detected, helpful instructions are printed:

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[alvneiayu]

hi @MatthiasKunnen

We are open to receive PR, I will be really happy to review it. So, I invite you to send a PR with a possible solution to this.

Thanks a lot

Álvaro

[MatthiasKunnen]

Thank you for considering it! I'd love to make a PR but I cannot promise to accomplish this in the short term due to limited time and lack of experience with Go. I'll add it to my todo list and hope that I will get to it sooner rather than later.