Ability to use commands for default values used in variables

[skalar-bcawkwell]

Is your feature request related to a problem?

In our project our local development environment need a lot of third party API keys. These keys are stored in a password manager (specifically 1Password) and up until now prompted the developer to enter each key manually using something like:

vars:
  SECRET_KEY1:
    question: "API key for X (check 1Password)"
    source: all

This was tedious (because there are so many keys), and often led to problems later because some keys had been skipped or the wrong one used etc.

Since 1Password provides a CLI, I decided to use the CLI to fetch the values and use them as the default. After some experimentation I ended up with something like:

vars:
  DEFAULT_SECRET_KEY1:
    command: op
    args: ["read", "op://something"]
  SECRET_KEY1:
    question: "API key for X (check 1Password)"
    source: all
    default: ${DEFAULT_SECRET_KEY1}

This works fine, but with the following caveats:

• When running devspace list vars you see all the extra DEFAULT_X variables. Not a biggy, just slightly annoying.
• Running any devspace command means resolving all the default values, so the op commands all need to be executed before devspace can proceed. As it happens, the op command is a bit slow, so this makes running any devspace command now much slower than before.
• Since the op command is reading data from 1Password, you must unlock 1Password to run any devspace command, even though no secrets are required.

Which solution do you suggest?

My proposal is that the default option has support to run commands. This would:

• Avoid the need for an intermediate variable (eg. DEFAULT_SECRET_KEY1 in my example above`).
• In theory, would only run the command if the variable in question is not already set (because of the variables cache).

I have no strong opinions on exactly how it would be defined. I did try different approaches in case they worked, for example I noticed support for expressions but they do not currently work under the vars section, I also tried using $(op read "op://something") as a value for default but it is not evaluated.

Which alternative solutions exist?

My example above does work, but means every devspace command is much slower to run.

  DEFAULT_SECRET_KEY1:
    command: op
    args: ["read", "op://something"]
  SECRET_KEY1:
    question: "API key for X (check 1Password)"
    source: all
    default: ${DEFAULT_SECRET_KEY1}

And for now I will just accept it as not perfect, I have looked into whether we can use the op command to generate all the default environment variable (possibly as an .env file), and then only do that when we first setup the project. Unfortunately I could not find a way in devspace to run something automatically if a variable is missing in the variables cache, so it would have to be something documented in our README for when you first run devspace. I also do not want developers stuck with a plain text file with all the secrets fetched from 1Password on their local machine for obvious reasons ;)

Additional context

Another use case I found, is using a command like openssl to generate a default random password, but still allow developers to set their own password if they prefer, eg:

  DEFAULT_SOME_PASSWORD: $(openssl rand -base64 21)
  SOME_PASSWORD:
    question: "What password?"
    source: input
    default: ${DEFAULT_SOME_PASSWORD}