From 28be8dc0f0fae1e87bb34ec6cd108ba249ef1ce5 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <dhh@hey.com>
Date: Sun, 19 Feb 2023 17:42:30 +0100
Subject: [PATCH] Encourage registry password from ENV

---
 README.md                         |  3 ++-
 lib/mrsk/cli/templates/deploy.yml |  3 ++-
 lib/mrsk/commands/registry.rb     | 11 ++++++++++-
 test/commands/registry_test.rb    | 11 +++++++++++
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 0c53001c..e536c28b 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,8 @@ servers:
   - 192.168.0.2
 registry:
   username: registry-user-name
-  password: <%= ENV.fetch("MRSK_REGISTRY_PASSWORD") %>
+  password:
+    - MRSK_REGISTRY_PASSWORD
 env:
   secret:
     - RAILS_MASTER_KEY
diff --git a/lib/mrsk/cli/templates/deploy.yml b/lib/mrsk/cli/templates/deploy.yml
index 0645f465..55c53149 100644
--- a/lib/mrsk/cli/templates/deploy.yml
+++ b/lib/mrsk/cli/templates/deploy.yml
@@ -13,7 +13,8 @@ registry:
   # Specify the registry server, if you're not using Docker Hub
   # server: registry.digitalocean.com / ghcr.io / ...
   username: my-user
-  password: my-password-should-go-somewhere-safe
+  password:
+    - MRSK_REGISTRY_PASSWORD
 
 # Inject ENV variables into containers (secrets come from .env).
 # env:
diff --git a/lib/mrsk/commands/registry.rb b/lib/mrsk/commands/registry.rb
index 4e9b1ce4..03304864 100644
--- a/lib/mrsk/commands/registry.rb
+++ b/lib/mrsk/commands/registry.rb
@@ -2,10 +2,19 @@ class Mrsk::Commands::Registry < Mrsk::Commands::Base
   delegate :registry, to: :config
 
   def login
-    docker :login, registry["server"], "-u", redact(registry["username"]), "-p", redact(registry["password"])
+    docker :login, registry["server"], "-u", redact(registry["username"]), "-p", redact(lookup_password)
   end
 
   def logout
     docker :logout, registry["server"]
   end
+
+  private
+    def lookup_password
+      if registry["password"].is_a?(Array)
+        ENV.fetch(registry["password"].first).dup
+      else
+        registry["password"]
+      end
+    end
 end
diff --git a/test/commands/registry_test.rb b/test/commands/registry_test.rb
index a866ff0c..01be2b34 100755
--- a/test/commands/registry_test.rb
+++ b/test/commands/registry_test.rb
@@ -19,6 +19,17 @@ class CommandsRegistryTest < ActiveSupport::TestCase
       @registry.login.join(" ")
   end
 
+  test "registry login with ENV password" do
+    ENV["MRSK_REGISTRY_PASSWORD"] = "more-secret"
+    @config[:registry]["password"] = [ "MRSK_REGISTRY_PASSWORD" ]
+
+    assert_equal \
+      "docker login hub.docker.com -u dhh -p more-secret",
+      @registry.login.join(" ")
+  ensure
+    ENV.delete("MRSK_REGISTRY_PASSWORD")
+  end
+
   test "registry logout" do
     assert_equal \
       "docker logout hub.docker.com",