nogweii:
I'm not sure what the best approach is for this, perhaps prefixing a string with "file:" turns the rest into a path to read from? In particular, the ntfy access token and redis URI.
Intention: I want to deploy ntfy-alertmanager to my Kubernetes cluster, and it would be most idiomatic if I could mount a Secret and it's values into a subdirectory.
xenrox:
Checking strings for a
file:
prefix sounds a bit too unclean to me, because in theory it could be possible that a random generated secret/password starts with "file:".I have a few other ideas that could work. From favourite to least favourite:
- Rework config file parsing, so that every value can be read from an environment variable as well (e.g.
NA_NTFY_ACCESS_TOKEN
). See this issue for reference. Should be easy to integrate with k8s/helm.- Allow to include a second config file in the main config. This could then contain your secrets.
- Offer the option to read settings from files with a new config option, e.g.
access-token-file
.Would any of these solve your issue/make deployment easier?
nogweii:
I personally prefer option two or three, as that mitigates the risk of secrets being added to all processes spawned in the container. (Not that it is a particularly high risk when talking about Kubernetes, though.)
Any of those choices would 100% work for me.
Thorben Günther referenced this ticket in commit 6c2521e.
xenrox:
I have implemented the second solution. Can you take a look at the example configuration file if everything is clear and check if it works as expected?