garage: support specifying token / secret as environment variables

this patch adds support for specifying the `rpc_secret_file`,
`metrics_token_file` and `admin_token_file` as environment variables.
This commit is contained in:
networkException 2023-10-19 03:39:02 +02:00
parent 4a19ee94bb
commit 8599051c49
Signed by untrusted user: networkException
GPG key ID: E3877443AE684391
3 changed files with 29 additions and 5 deletions

View file

@ -25,7 +25,7 @@ use structopt::StructOpt;
use netapp::util::parse_and_resolve_peer_addr; use netapp::util::parse_and_resolve_peer_addr;
use netapp::NetworkKey; use netapp::NetworkKey;
use garage_util::config::Config; use garage_util::config::{read_secret_file, Config};
use garage_util::error::*; use garage_util::error::*;
use garage_rpc::system::*; use garage_rpc::system::*;
@ -70,15 +70,30 @@ pub struct Secrets {
#[structopt(short = "s", long = "rpc-secret", env = "GARAGE_RPC_SECRET")] #[structopt(short = "s", long = "rpc-secret", env = "GARAGE_RPC_SECRET")]
pub rpc_secret: Option<String>, pub rpc_secret: Option<String>,
/// RPC secret network key, used to replace rpc_secret in config.toml and rpc-secret
/// when running the daemon or doing admin operations
#[structopt(long = "rpc-secret-file", env = "GARAGE_RPC_SECRET_FILE")]
pub rpc_secret_file: Option<String>,
/// Admin API authentication token, replaces admin.admin_token in config.toml when /// Admin API authentication token, replaces admin.admin_token in config.toml when
/// running the Garage daemon /// running the Garage daemon
#[structopt(long = "admin-token", env = "GARAGE_ADMIN_TOKEN")] #[structopt(long = "admin-token", env = "GARAGE_ADMIN_TOKEN")]
pub admin_token: Option<String>, pub admin_token: Option<String>,
/// Admin API authentication token file path, replaces admin.admin_token in config.toml
/// and admin-token when running the Garage daemon
#[structopt(long = "admin-token-file", env = "GARAGE_ADMIN_TOKEN_FILE")]
pub admin_token_file: Option<String>,
/// Metrics API authentication token, replaces admin.metrics_token in config.toml when /// Metrics API authentication token, replaces admin.metrics_token in config.toml when
/// running the Garage daemon /// running the Garage daemon
#[structopt(long = "metrics-token", env = "GARAGE_METRICS_TOKEN")] #[structopt(long = "metrics-token", env = "GARAGE_METRICS_TOKEN")]
pub metrics_token: Option<String>, pub metrics_token: Option<String>,
/// Metrics API authentication token file path, replaces admin.metrics_token in config.toml
/// and metrics-token when running the Garage daemon
#[structopt(long = "metrics-token-file", env = "GARAGE_METRICS_TOKEN_FILE")]
pub metrics_token_file: Option<String>,
} }
#[tokio::main] #[tokio::main]
@ -256,15 +271,24 @@ async fn cli_command(opt: Opt) -> Result<(), Error> {
} }
} }
fn fill_secrets(mut config: Config, secrets: Secrets) -> Config { fn fill_secrets(mut config: Config, secrets: Secrets) -> Result<Config, Error> {
if secrets.rpc_secret.is_some() { if secrets.rpc_secret.is_some() {
config.rpc_secret = secrets.rpc_secret; config.rpc_secret = secrets.rpc_secret;
} else if secrets.rpc_secret_file.is_some() {
config.rpc_secret = Some(read_secret_file(&secrets.rpc_secret_file.unwrap())?);
} }
if secrets.admin_token.is_some() { if secrets.admin_token.is_some() {
config.admin.admin_token = secrets.admin_token; config.admin.admin_token = secrets.admin_token;
} else if secrets.admin_token_file.is_some() {
config.admin.admin_token = Some(read_secret_file(&secrets.admin_token_file.unwrap())?);
} }
if secrets.metrics_token.is_some() { if secrets.metrics_token.is_some() {
config.admin.metrics_token = secrets.metrics_token; config.admin.metrics_token = secrets.metrics_token;
} else if secrets.metrics_token_file.is_some() {
config.admin.metrics_token = Some(read_secret_file(&secrets.metrics_token_file.unwrap())?);
} }
config
Ok(config)
} }

View file

@ -20,7 +20,7 @@ pub async fn offline_repair(
} }
info!("Loading configuration..."); info!("Loading configuration...");
let config = fill_secrets(read_config(config_file)?, secrets); let config = fill_secrets(read_config(config_file)?, secrets)?;
info!("Initializing Garage main data store..."); info!("Initializing Garage main data store...");
let garage = Garage::new(config)?; let garage = Garage::new(config)?;

View file

@ -29,7 +29,7 @@ async fn wait_from(mut chan: watch::Receiver<bool>) {
pub async fn run_server(config_file: PathBuf, secrets: Secrets) -> Result<(), Error> { pub async fn run_server(config_file: PathBuf, secrets: Secrets) -> Result<(), Error> {
info!("Loading configuration..."); info!("Loading configuration...");
let config = fill_secrets(read_config(config_file)?, secrets); let config = fill_secrets(read_config(config_file)?, secrets)?;
// ---- Initialize Garage internals ---- // ---- Initialize Garage internals ----