Add support for specifying rpc_secret_file, metrics_token_file and admin_token_file using environment variables #643

networkException · 2023-10-03T16:35:42Z

networkException commented

2023-10-03 16:35:42 +00:00

This pull request adds the GARAGE_RPC_SECRET_FILE, GARAGE_METRICS_TOKEN_FILE and GARAGE_ADMIN_TOKEN_FILE environment variables to properly support systemd credentials

This pull request adds the `GARAGE_RPC_SECRET_FILE`, `GARAGE_METRICS_TOKEN_FILE` and `GARAGE_ADMIN_TOKEN_FILE` environment variables to properly support systemd credentials

networkException force-pushed token-file-env from ec7e8f0658 to e05ec5968d

2023-10-03 16:37:11 +00:00

Compare

lx commented

2023-10-04 08:47:49 +00:00

In the existing code, all environment variables used by the Garage CLI are declared in main.rs in the garage crate, here: https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/main.rs.
I feel that it makes the code more confusing and hard to maintain that some environment variables are used directly in garage_util. Also, having the env variables declared in main.rs makes them available as CLI options as well, and they are documented in the --help screen.

I know it's going to be a bit more code, but could you please make it so that all environment variables are declared in garage/main.rs?

In the existing code, all environment variables used by the Garage CLI are declared in `main.rs` in the `garage` crate, here: <https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/main.rs>. I feel that it makes the code more confusing and hard to maintain that some environment variables are used directly in `garage_util`. Also, having the env variables declared in `main.rs` makes them available as CLI options as well, and they are documented in the `--help` screen. I know it's going to be a bit more code, but could you please make it so that all environment variables are declared in `garage/main.rs`?

lx commented

2023-10-04 08:49:17 +00:00

Reading the files specified in the _FILE environment variables will have to happen in fill_secrets. The return type of fill_secrets will have to be changed to a Result<Config, Error>.

Reading the files specified in the `_FILE` environment variables will have to happen in [`fill_secrets`](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/main.rs). The return type of `fill_secrets` will have to be changed to a `Result<Config, Error>`.

flokli requested changes 2023-10-16 19:58:17 +00:00

doc/book/reference-manual/configuration.md Outdated

					
				@ -288,6 +288,9 @@ Since Garage `v0.8.2`, the RPC secret can also be stored in a file whose path is

				given in the configuration variable `rpc_secret_file`, or specified as an

				environment variable `GARAGE_RPC_SECRET`.

				Since Garage `v0.8.5`, you can also specify the path of a file storing the secret

flokli commented

2023-10-16 19:58:08 +00:00

That's not 0.8.5 anymore, considering 0.9.0 was released.

networkException marked this conversation as resolved

networkException force-pushed token-file-env from e05ec5968d to 8599051c49

2023-10-19 01:40:03 +00:00

Compare

networkException commented

2023-10-19 01:43:10 +00:00

Sorry for the long delay, I hope the changes are better now. Fell into a few rabbit holes in the meanwhile, including unix socket support for rpc (things like garage status work, I'll need to check cluster operation and will look into opening a pull request afterwards :D)

Sorry for the long delay, I hope the changes are better now. Fell into a few rabbit holes in the meanwhile, including unix socket support for rpc (things like `garage status` work, I'll need to check cluster operation and will look into opening a pull request afterwards :D)

lx changed title from ~~Add support for specifying `rpc_secret_file`, `metrics_token_file` and `admin_token_file` using environment variables~~ to Add support for specifying `rpc_secret_file`, `metrics_token_file` and `admin_token_file` using environment variables

2023-10-19 09:32:39 +00:00

lx changed target branch from main to main-0.8.x

2023-10-19 09:32:39 +00:00

lx merged commit 0215b11402 into main-0.8.x

2023-10-19 09:33:12 +00:00

lx referenced this issue from a commit

2023-10-19 09:33:13 +00:00

Merge pull request 'Add support for specifying `rpc_secret_file`, `metrics_token_file` and `admin_token_file` using environment variables' (#643) from networkException/garage:token-file-env into main-0.8.x

lx commented

2023-10-19 09:33:20 +00:00

Thanks!

flokli reviewed 2023-10-20 11:10:00 +00:00

src/util/config.rs

					
				@ -240,1 +240,4 @@

				pub fn read_secret_file(file_path: &String) -> Result<String, Error> {

					#[cfg(unix)]

					if std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS").as_deref() != Ok("true") {

flokli commented

2023-10-20 11:10:00 +00:00

This check will actually fail on more recent versions of systemd, as they switched from plain chmods to ACLs, and it's not trivial to determine if something is readable by others or not.

I think it'd make more sense to drop this check to become a warning.

This check will actually *fail* on more recent versions of systemd, as they switched from plain chmods to ACLs, and it's not trivial to determine if something is readable by others or not. I think it'd make more sense to drop this check to become a warning.

flokli commented

2023-10-20 11:11:00 +00:00

Upstream systemd issue: https://github.com/systemd/systemd/issues/29435

flokli commented

2023-10-26 07:54:16 +00:00

workaround in #663

workaround in https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/663