feat: add secrets from file and prepare a release

promhippie · Oct 26, 2023 · 6c5f43e · 6c5f43e
1 parent cac43ff
commit 6c5f43e
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 2 deletions.
diff --git a/changelog/1.0.0_2023-10-26/file-secrets.md b/changelog/1.0.0_2023-10-26/file-secrets.md
@@ -0,0 +1,7 @@
+Change: Read secrets form files
+
+We have added proper support to load secrets like passwords from files or from
+base64-encoded strings. Just provide the flags or environment variables with a
+DSN formatted string like `file://path/to/file` or `base64://Zm9vYmFy`.
+
+https://github.com/promhippie/prometheus-vcd-sd/pulls/
diff --git a/changelog/1.0.0_2023-10-26/update-deps.md b/changelog/1.0.0_2023-10-26/update-deps.md
@@ -0,0 +1,7 @@
+Enhancement: Update all releated dependencies
+
+We've updated all dependencies to the latest available versions, including more
+current versions of build tools and used Go version to build the binaries. It's
+time to mark a stable release.
+
+https://github.com/promhippie/prometheus-vcd-sd/pulls/
diff --git a/pkg/action/server.go b/pkg/action/server.go
@@ -2,6 +2,7 @@ package action
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -40,6 +41,30 @@ func Server(cfg *config.Config, logger log.Logger) error {
 		configs := make(map[string]*client.Client, len(cfg.Target.Credentials))
 
 		for _, credential := range cfg.Target.Credentials {
+			username, err := config.Value(credential.Username)
+
+			if err != nil {
+				level.Error(logger).Log(
+					"msg", "Failed to read username secret",
+					"project", credential.Project,
+					"err", err,
+				)
+
+				return fmt.Errorf("failed to read username secret for %s", credential.Project)
+			}
+
+			password, err := config.Value(credential.Password)
+
+			if err != nil {
+				level.Error(logger).Log(
+					"msg", "Failed to read password secret",
+					"project", credential.Project,
+					"err", err,
+				)
+
+				return fmt.Errorf("failed to read password secret for %s", credential.Project)
+			}
+
 			parsed, err := url.ParseRequestURI(credential.URL)
 
 			if err != nil {
@@ -54,8 +79,8 @@ func Server(cfg *config.Config, logger log.Logger) error {
 			configs[credential.Project] = client.New(
 				parsed,
 				credential.Insecure,
-				credential.Username,
-				credential.Password,
+				username,
+				password,
 				credential.Org,
 				credential.Vdc,
 			)

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -1,5 +1,12 @@
 package config
 
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strings"
+)
+
 // Credential defines a single project credential.
 type Credential struct {
 	Project  string `json:"project" yaml:"project"`
@@ -47,3 +54,32 @@ func Load() *Config {
 		},
 	}
 }
+
+// Value returns the config value based on a DSN.
+func Value(val string) (string, error) {
+	if strings.HasPrefix(val, "file://") {
+		content, err := os.ReadFile(
+			strings.TrimPrefix(val, "file://"),
+		)
+
+		if err != nil {
+			return "", fmt.Errorf("failed to parse secret file: %w", err)
+		}
+
+		return string(content), nil
+	}
+
+	if strings.HasPrefix(val, "base64://") {
+		content, err := base64.StdEncoding.DecodeString(
+			strings.TrimPrefix(val, "base64://"),
+		)
+
+		if err != nil {
+			return "", fmt.Errorf("failed to parse base64 value: %w", err)
+		}
+
+		return string(content), nil
+	}
+
+	return val, nil
+}