lib/envflag: apply -secret.flags inside envflag.Parse function (2nd attempt) (#9963)

### Describe Your Changes The PR https://github.com/VictoriaMetrics/VictoriaMetrics/pull/9942 was reverted in c90c7c3123 because of the import cycle in the enterprise VM. Needs more work. ### Checklist The following checks are **mandatory**: - [ ] My change adheres to [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/victoriametrics/contributing/#pull-request-checklist). - [ ] My change adheres to [VictoriaMetrics development goals](https://docs.victoriametrics.com/victoriametrics/goals/).
2026-05-17 00:26:36 +03:00 · 2025-11-12 19:23:51 +02:00
parent 1c7abd3137
commit 8dd905c7a9
7 changed files with 50 additions and 38 deletions
--- a/app/vmagent/main.go
+++ b/app/vmagent/main.go
@@ -111,7 +111,6 @@ func main() {
 	flag.CommandLine.SetOutput(os.Stdout)
 	flag.Usage = usage
 	envflag.Parse()
-	flagutil.ApplySecretFlags()
 	remotewrite.InitSecretFlags()
 	buildinfo.Init()
 	logger.Init()
--- a/app/vmalert/main.go
+++ b/app/vmalert/main.go
@@ -90,7 +90,6 @@ func main() {
 	flag.CommandLine.SetOutput(os.Stdout)
 	flag.Usage = usage
 	envflag.Parse()
-	flagutil.ApplySecretFlags()
 	remoteread.InitSecretFlags()
 	remotewrite.InitSecretFlags()
 	datasource.InitSecretFlags()
--- a/lib/envflag/envflag.go
+++ b/lib/envflag/envflag.go
@@ -23,6 +23,7 @@ var (
 // This function must be called instead of flag.Parse() before using any flags in the program.
 func Parse() {
 	ParseFlagSet(flag.CommandLine, os.Args[1:])
+	applySecretFlags()
 }

 // ParseFlagSet parses the given args into the given fs.
--- a/lib/envflag/secret.go
+++ b/lib/envflag/secret.go
@@ -0,0 +1,17 @@
+package envflag
+
+import "github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil"
+
+// secretFlagsList contains names of flags with secret values obtained from
+// the `-secret.flags` command-line option.
+var secretFlagsList = flagutil.NewArrayString("secret.flags",
+	"Comma-separated list of flag names with secret values. Values for these flags are hidden in logs and on /metrics page")
+
+// applySecretFlags registers flags from `-secret.flags` after they are parsed.
+//
+// The function must be called inside envflag.Parse after parsing flags.
+func applySecretFlags() {
+	for _, f := range *secretFlagsList {
+		flagutil.RegisterSecretFlag(f)
+	}
+}
--- a/lib/envflag/secret_test.go
+++ b/lib/envflag/secret_test.go
@@ -0,0 +1,25 @@
+package envflag
+
+import (
+	"testing"
+
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/flagutil"
+)
+
+func TestApplySecretFlags(t *testing.T) {
+	t.Cleanup(flagutil.UnregisterAllSecretFlags)
+	secretFlagsList = &flagutil.ArrayString{}
+	if err := secretFlagsList.Set("foo,bar"); err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+
+	if flagutil.IsSecretFlag("foo") || flagutil.IsSecretFlag("bar") {
+		t.Fatalf("foo and bar shouldn't be secret before applySecretFlags")
+	}
+
+	applySecretFlags()
+
+	if !flagutil.IsSecretFlag("foo") || !flagutil.IsSecretFlag("bar") {
+		t.Fatalf("foo and bar should be secret after applySecretFlags")
+	}
+}
--- a/lib/flagutil/secret.go
+++ b/lib/flagutil/secret.go
@@ -15,22 +15,16 @@ func RegisterSecretFlag(flagName string) {
 	secretFlags[lname] = true
 }

-var secretFlags = make(map[string]bool)
-
-// secretFlagsList contains names of flags with secret values obtained from
-// the `-secret.flags` command-line option.
-var secretFlagsList = NewArrayString("secret.flags",
-	"Comma-separated list of flag names with secret values. Values for these flags are hidden in logs and on /metrics page")
-
-// ApplySecretFlags registers flags from `-secret.flags` after they are parsed.
+// UnregisterAllSecretFlags unregisters all secret flags.
 //
-// This function must be called after flag.Parse and before starting logging.
-func ApplySecretFlags() {
-	for _, f := range *secretFlagsList {
-		RegisterSecretFlag(f)
-	}
+// This function must be used in tests only.
+// It cannot be called from concurrent goroutines.
+func UnregisterAllSecretFlags() {
+	secretFlags = make(map[string]bool)
 }

+var secretFlags = make(map[string]bool)
+
 // IsSecretFlag returns true of s contains flag name with secret value, which shouldn't be exposed.
 func IsSecretFlag(s string) bool {
 	if strings.Contains(s, "pass") || strings.Contains(s, "key") || strings.Contains(s, "secret") || strings.Contains(s, "token") {
--- a/lib/flagutil/secret_test.go
+++ b/lib/flagutil/secret_test.go
@@ -1,23 +0,0 @@
-package flagutil
-
-import "testing"
-
-func TestApplySecretFlags(t *testing.T) {
-	t.Cleanup(func() {
-		secretFlags = make(map[string]bool)
-	})
-	secretFlagsList = &ArrayString{}
-	if err := secretFlagsList.Set("foo,bar"); err != nil {
-		t.Fatalf("unexpected error: %s", err)
-	}
-
-	if IsSecretFlag("foo") || IsSecretFlag("bar") {
-		t.Fatalf("foo and bar shouldn't be secret before ApplySecretFlags")
-	}
-
-	ApplySecretFlags()
-
-	if !IsSecretFlag("foo") || !IsSecretFlag("bar") {
-		t.Fatalf("foo and bar should be secret after ApplySecretFlags")
-	}
-}