feat: add -config-env and -config-env-base64 flags

[Mickaël Canévet (mcanevet)]

Summary

• Add -config-env to read the network configuration from an environment variable instead of a file, removing the need to write the config to disk.
• Add -config-env-base64 to decode the variable's value as base64 before parsing, avoiding YAML line-folding issues when the config is injected into a double-quoted scalar by a template engine (e.g. Tinkerbell).
• -config and -config-env are mutually exclusive; -config-env-base64 requires -config-env.

Test plan

• talos-meta-tool -device /dev/sda -config-env MY_CONFIG with a valid YAML config in MY_CONFIG
• talos-meta-tool -device /dev/sda -config-env MY_CONFIG -config-env-base64 with a base64-encoded config
• Verify mutual exclusion: passing both -config and -config-env returns an error
• Verify -config-env-base64 without -config-env returns an error
• Verify invalid base64 returns a clear error

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Accept META configuration via file or environment variable, with optional base64 decoding; CLI enforces exclusivity and required input rules and validates config before writing.

• Documentation

  • Usage and Docker examples updated to show file, plain env, and base64-encoded env workflows with cross-platform encoding notes.

• Tests

  • Added coverage for config loading from file, plain env, and base64-encoded env, including error cases.

[coderabbitai]

Warning

Review limit reached

@mcanevet, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 29 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2036376c-ac09-43a0-b961-e65b011d2ea6

📥 Commits

Reviewing files that changed from the base of the PR and between 2f15efc and 6cb7b09.

📒 Files selected for processing (3)

• README.md
• main.go
• main_test.go

📝 Walkthrough

Walkthrough

The CLI gains -config-env and -config-env-base64 to accept META YAML from an environment variable (optionally base64-decoded); loadConfig centralizes file/env loading, YAML validation remains conditional via -skip-validation, README updated with usage and Docker examples, and tests cover the new paths.

Changes

Environment Variable Configuration Support

Layer / File(s)	Summary
Imports for base64 support main.go	Added encoding/base64 import to enable optional base64 decoding of environment-provided configuration.
loadConfig implementation main.go	Implement loadConfig to read config bytes from an env var (strip whitespace, optional base64 decode) or from a file; integrate with existing validation and META write path.
CLI flags and validation rules main.go	Added -config-env and -config-env-base64 flags; require at least one config source, enforce mutual exclusivity between file/env, and require -config-env when using -config-env-base64.
Tests for loadConfig main_test.go	Added tests for loading from a temp file and missing file, plain-text env var and unset env error, base64 env var with whitespace/newline variants, and invalid-base64 error; added encoding/base64 import for tests.
Usage documentation and examples README.md	Expanded Usage with examples for file, plain-text env, and base64-encoded env config inputs; added Docker --privileged example showing how to pass a base64-encoded MY_CONFIG with Linux and macOS/BSD encoding snippets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• cozystack/talos-meta-tool#6: Related changes to config validation and -skip-validation behavior used by the new env/base64 config path.

Suggested reviewers

• kvaps

Poem

🐰 I nibble flags and tidy bytes,
Env or file, by day or night,
Base64 whispers, I decode with cheer,
META written, the network's near,
A rabbit's hop, the config's clear.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding two new CLI flags (-config-env and -config-env-base64) for configuration management.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces support for loading configurations from environment variables via the -config-env flag, with optional base64 decoding support using -config-env-base64. Feedback suggests improving error handling by ensuring CLI validation failures exit with a non-zero status code and print to standard error instead of silently succeeding. Additionally, it is recommended to use base64.MIMEEncoding instead of base64.StdEncoding to robustly handle whitespace and newlines in base64-encoded inputs.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 28-32: Add a language identifier to the fenced code block
containing the docker run snippet so markdown linters recognize it; edit the
opening backticks for the block that starts with the docker run command (the
block showing the MY_CONFIG env and image
harbor.protontech.ch/systems/talos-meta-tool:latest) and change the fence to
include the language (e.g., bash) immediately after the three backticks.
- Line 29: Update the README entry that shows docker run with MY_CONFIG="$(cat
config.yaml | base64 -w0)" to include cross-platform guidance: note that the -w0
flag is GNU-specific and will fail on macOS/BSD, add a macOS-friendly option and
a portable alternative that ensures the base64 output has no newlines (e.g., by
using the macOS base64 mode or by piping base64 output through a
newline-stripping step), and show an example command for each approach so users
on different platforms can produce a single-line base64 config.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9cc03f4-be25-4306-bbde-0b4208e301f1

📥 Commits

Reviewing files that changed from the base of the PR and between 5072cab and 13a51a4.

📒 Files selected for processing (2)

• README.md
• main.go

[Andrei Kvapil (kvaps)]

Thanks for the env-var feature — closes your original Slack ask, and the mutual-exclusion logic is clean. Two concrete fixes inline below.

One thing that can't be inline: PR #6 just merged, replacing the loose validateYAML with strict schema validation (validateConfig) gated by -skip-validation. After rebasing, please call validateConfig (respecting -skip-validation) instead of validateYAML in both the file and env-var paths, so base64-decoded configs go through the same validation. The gopkg.in/yaml.v3 import can be dropped — it's no longer used on main.

Non-blocking: the new flag-parsing and env-var loading isn't covered by tests — would be worth extracting the load step into a helper (loadConfig(path, envVar string, b64 bool) ([]byte, error)) so precedence and decode errors get table-driven tests.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@main_test.go`:
- Line 287: The call to f.Close() is ignoring its error; update the test to
check the returned error from f.Close() and fail the test on error. Replace the
bare f.Close() with an error check such as: if err := f.Close(); err != nil {
t.Fatalf("failed to close file: %v", err) } (or use require.NoError(t, err) if
you prefer testify) so the test records any Close() failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 85310f05-64f0-45ea-8214-37cc54f52fdc

📥 Commits

Reviewing files that changed from the base of the PR and between 14e4386 and 2f15efc.

📒 Files selected for processing (2)

• main.go
• main_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• main.go

[Mickaël Canévet (mcanevet)]

Andrei Kvapil (@kvaps) ready for review