Ensure secret envs are present

README.md

@@ -91,6 +91,8 @@ env:
 
 The list of secret env variables will be expanded at run time from your local machine. So a reference to a secret `DATABASE_PASSWORD` will look for `ENV["DATABASE_PASSWORD"]` on the machine running MRSK. Just like with build secrets.
 
+If the referenced secret ENVs are missing, the configuration will be halted with a `KeyError` exception.
+
 Note: Marking an ENV as secret currently only redacts its value in the output for MRSK. The ENV is still injected in the clear into the container at runtime.
 
 

lib/mrsk/configuration.rb

@@ -140,7 +140,7 @@ class Mrsk::Configuration
     end
 
     def expand_env_secrets
-      config.env["secret"].to_h { |key| [ key, ENV[key] ] }
+      config.env["secret"].to_h { |key| [ key, ENV.fetch(key) ] }
     end
 end
 

test/configuration_test.rb

@@ -113,6 +113,16 @@ class ConfigurationTest < ActiveSupport::TestCase
     ENV["PASSWORD"] = nil
   end
 
+  test "env args with missing secret" do
+    config = Mrsk::Configuration.new(@deploy.tap { |c| c.merge!({ 
+      env: { "secret" => [ "PASSWORD" ] } 
+    }) })
+
+    assert_raises(KeyError) do
+      assert_equal [ "-e", "PASSWORD=secret123" ], config.env_args
+    end
+  end
+
   test "ssh options" do
     assert_equal "root", @config.ssh_options[:user]