Add support for specifying rpc_secret_file
, metrics_token_file
and admin_token_file
using environment variables #643
No reviewers
Labels
No Label
AdminAPI
Bug
Check AWS
CI
Correctness
Critical
Documentation
Ideas
Improvement
Low priority
Newcomer
Performance
S3 Compatibility
Testing
Usability
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Deuxfleurs/garage#643
Loading…
Reference in New Issue
No description provided.
Delete Branch "networkException/garage:token-file-env"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This pull request adds the
GARAGE_RPC_SECRET_FILE
,GARAGE_METRICS_TOKEN_FILE
andGARAGE_ADMIN_TOKEN_FILE
environment variables to properly support systemd credentialsec7e8f0658
toe05ec5968d
In the existing code, all environment variables used by the Garage CLI are declared in
main.rs
in thegarage
crate, here: https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/main.rs.I feel that it makes the code more confusing and hard to maintain that some environment variables are used directly in
garage_util
. Also, having the env variables declared inmain.rs
makes them available as CLI options as well, and they are documented in the--help
screen.I know it's going to be a bit more code, but could you please make it so that all environment variables are declared in
garage/main.rs
?Reading the files specified in the
_FILE
environment variables will have to happen infill_secrets
. The return type offill_secrets
will have to be changed to aResult<Config, Error>
.@ -288,6 +288,9 @@ Since Garage `v0.8.2`, the RPC secret can also be stored in a file whose path is
given in the configuration variable `rpc_secret_file`, or specified as an
environment variable `GARAGE_RPC_SECRET`.
Since Garage `v0.8.5`, you can also specify the path of a file storing the secret
That's not 0.8.5 anymore, considering 0.9.0 was released.
e05ec5968d
to8599051c49
Sorry for the long delay, I hope the changes are better now. Fell into a few rabbit holes in the meanwhile, including unix socket support for rpc (things like
garage status
work, I'll need to check cluster operation and will look into opening a pull request afterwards :D)Add support for specifying `rpc_secret_file`, `metrics_token_file` and `admin_token_file` using environment variablesto Add support for specifying `rpc_secret_file`, `metrics_token_file` and `admin_token_file` using environment variablesThanks!
@ -240,1 +240,4 @@
pub fn read_secret_file(file_path: &String) -> Result<String, Error> {
#[cfg(unix)]
if std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS").as_deref() != Ok("true") {
This check will actually fail on more recent versions of systemd, as they switched from plain chmods to ACLs, and it's not trivial to determine if something is readable by others or not.
I think it'd make more sense to drop this check to become a warning.
Upstream systemd issue: https://github.com/systemd/systemd/issues/29435
workaround in #663