From cae069a6149d2f083406c52dd88825b3b61d1e85 Mon Sep 17 00:00:00 2001
From: Kevin Fox <Kevin.Fox@pnnl.gov>
Date: Mon, 14 Oct 2024 17:32:30 -0700
Subject: [PATCH 1/3] Allow escaping $ in config files that use expand env

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
---
 cmd/spire-agent/main.go  | 1 +
 cmd/spire-server/main.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/cmd/spire-agent/main.go b/cmd/spire-agent/main.go
index c208ddeb22..b804b1cbdb 100644
--- a/cmd/spire-agent/main.go
+++ b/cmd/spire-agent/main.go
@@ -8,5 +8,6 @@ import (
 )
 
 func main() {
+	os.Setenv("$", "$") // Allow escaping $ in config files using ExpandEnv
 	os.Exit(entrypoint.NewEntryPoint(new(cli.CLI).Run).Main())
 }
diff --git a/cmd/spire-server/main.go b/cmd/spire-server/main.go
index ac72e48413..fc8d38012d 100644
--- a/cmd/spire-server/main.go
+++ b/cmd/spire-server/main.go
@@ -8,5 +8,6 @@ import (
 )
 
 func main() {
+	os.Setenv("$", "$") // Allow escaping $ in config files using ExpandEnv
 	os.Exit(entrypoint.NewEntryPoint(new(cli.CLI).Run).Main())
 }

From 0be4e31c80f57562f18a66eeeccde51b8c6a2e33 Mon Sep 17 00:00:00 2001
From: Kevin Fox <Kevin.Fox@pnnl.gov>
Date: Tue, 15 Oct 2024 19:37:54 -0700
Subject: [PATCH 2/3] Incorperate feedback

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
---
 cmd/spire-agent/cli/run/run.go  |  3 ++-
 cmd/spire-agent/main.go         |  1 -
 cmd/spire-server/cli/run/run.go |  3 ++-
 cmd/spire-server/main.go        |  1 -
 pkg/common/config/config.go     | 14 ++++++++++++++
 5 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 pkg/common/config/config.go

diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go
index ccd309f223..82c3652ecd 100644
--- a/cmd/spire-agent/cli/run/run.go
+++ b/cmd/spire-agent/cli/run/run.go
@@ -31,6 +31,7 @@ import (
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
 	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
+	"github.com/spiffe/spire/pkg/common/config"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
@@ -301,7 +302,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {
 
 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}
 
 	if err := hcl.Decode(&c, data); err != nil {
diff --git a/cmd/spire-agent/main.go b/cmd/spire-agent/main.go
index b804b1cbdb..c208ddeb22 100644
--- a/cmd/spire-agent/main.go
+++ b/cmd/spire-agent/main.go
@@ -8,6 +8,5 @@ import (
 )
 
 func main() {
-	os.Setenv("$", "$") // Allow escaping $ in config files using ExpandEnv
 	os.Exit(entrypoint.NewEntryPoint(new(cli.CLI).Run).Main())
 }
diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go
index 6734190c59..d776db0e3c 100644
--- a/cmd/spire-server/cli/run/run.go
+++ b/cmd/spire-server/cli/run/run.go
@@ -29,6 +29,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
+	"github.com/spiffe/spire/pkg/common/config"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/diskcertmanager"
 	"github.com/spiffe/spire/pkg/common/fflag"
@@ -316,7 +317,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {
 
 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}
 
 	if err := hcl.Decode(&c, data); err != nil {
diff --git a/cmd/spire-server/main.go b/cmd/spire-server/main.go
index fc8d38012d..ac72e48413 100644
--- a/cmd/spire-server/main.go
+++ b/cmd/spire-server/main.go
@@ -8,6 +8,5 @@ import (
 )
 
 func main() {
-	os.Setenv("$", "$") // Allow escaping $ in config files using ExpandEnv
 	os.Exit(entrypoint.NewEntryPoint(new(cli.CLI).Run).Main())
 }
diff --git a/pkg/common/config/config.go b/pkg/common/config/config.go
new file mode 100644
index 0000000000..1e6211fd55
--- /dev/null
+++ b/pkg/common/config/config.go
@@ -0,0 +1,14 @@
+package config
+
+import (
+	"os"
+)
+
+func ExpandEnv(data string) string {
+	return os.Expand(data, func(key string) string {
+		if key == "$" {
+			return "$"
+		}
+		return os.Getenv(key)
+	})
+}

From e9ac0caeb515cbfb400977e38d472a7985a7aacb Mon Sep 17 00:00:00 2001
From: Kevin Fox <Kevin.Fox@pnnl.gov>
Date: Wed, 16 Oct 2024 12:05:09 -0700
Subject: [PATCH 3/3] fix fmt

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
---
 cmd/spire-agent/cli/run/run.go  | 2 +-
 cmd/spire-server/cli/run/run.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go
index 82c3652ecd..609788b1be 100644
--- a/cmd/spire-agent/cli/run/run.go
+++ b/cmd/spire-agent/cli/run/run.go
@@ -31,8 +31,8 @@ import (
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
 	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
-	"github.com/spiffe/spire/pkg/common/config"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/idutil"
diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go
index d776db0e3c..97804a41b9 100644
--- a/cmd/spire-server/cli/run/run.go
+++ b/cmd/spire-server/cli/run/run.go
@@ -29,8 +29,8 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
-	"github.com/spiffe/spire/pkg/common/config"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/diskcertmanager"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"