genJqSecretsReplacementSnippet: Propagate secret file read errors
If an error occurs while trying to read a secret file, we want that error to propagate to the main shell context. That means we have to set the `inherit_errexit` option, which allows errors from subshells to propagate to the outer shell. Also, the subshell cannot run as part of another command, such as `export`, since that will simply ignore the subshell exit status and only respect `export`s exit status; first assigning the value to a variable and then exporting it solves issue.
This commit is contained in:
talyz
parent
689b76bcf3
commit
95069d76d3
1 changed files with 8 additions and 1 deletions
|
|
@ -149,10 +149,16 @@ rec {
|
||||||
if [[ -h '${output}' ]]; then
|
if [[ -h '${output}' ]]; then
|
||||||
rm '${output}'
|
rm '${output}'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
inherit_errexit_restore=$(shopt -p inherit_errexit)
|
||||||
|
shopt -s inherit_errexit
|
||||||
''
|
''
|
||||||
+ concatStringsSep
|
+ concatStringsSep
|
||||||
"\n"
|
"\n"
|
||||||
(imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')")
|
(imap1 (index: name: ''
|
||||||
|
secret${toString index}=$(<'${secrets.${name}}')
|
||||||
|
export secret${toString index}
|
||||||
|
'')
|
||||||
(attrNames secrets))
|
(attrNames secrets))
|
||||||
+ "\n"
|
+ "\n"
|
||||||
+ "${pkgs.jq}/bin/jq >'${output}' '"
|
+ "${pkgs.jq}/bin/jq >'${output}' '"
|
||||||
|
|
@ -164,6 +170,7 @@ rec {
|
||||||
' <<'EOF'
|
' <<'EOF'
|
||||||
${builtins.toJSON set}
|
${builtins.toJSON set}
|
||||||
EOF
|
EOF
|
||||||
|
$inherit_errexit_restore
|
||||||
'';
|
'';
|
||||||
|
|
||||||
systemdUtils = {
|
systemdUtils = {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue