You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introducing a feature that allows you to specify secrets as a path to a file where the value will be read from, as opposed to specifying the secrets value directly in the configuration, would be highly appreciated.
This is specially useful for infrastructure as code solutions that provision secrets through e.g. vault. Specifically, for my use case, my organization would like to read values from files created at runtime, rather than directly specifying them in the configuration.
In our specific use case, due to the nature of NixOS having configuration files reside in the world readable store, this would be a major security improvement, and would perhaps unblock others from using CNCF distribution with NixOS. This should be a similar story for other distributions like Guix.
For instance, instead of specifying S3 storage credentials inline:
This also makes configuration a lot easier in general, and might prove useful, even on other linux distributions.
Prior art includes e.g. prometheus:
# Sets the `Authorization` header on every scrape request with# the configured credentials.authorization:
# Sets the authentication type of the request.[ type: [<string>](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#string) | default: Bearer ]# Sets the credentials of the request. It is mutually exclusive with# `credentials_file`.[ credentials: [<secret>](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#secret) ]# Sets the credentials of the request with the credentials read from the# configured file. It is mutually exclusive with `credentials`.[ credentials_file: [<filename>](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#filename) ]
The text was updated successfully, but these errors were encountered:
Description
Introducing a feature that allows you to specify secrets as a path to a file where the value will be read from, as opposed to specifying the secrets value directly in the configuration, would be highly appreciated.
This is specially useful for infrastructure as code solutions that provision secrets through e.g. vault. Specifically, for my use case, my organization would like to read values from files created at runtime, rather than directly specifying them in the configuration.
In our specific use case, due to the nature of NixOS having configuration files reside in the world readable store, this would be a major security improvement, and would perhaps unblock others from using CNCF distribution with NixOS. This should be a similar story for other distributions like Guix.
For instance, instead of specifying S3 storage credentials inline:
You could instead specify:
This also makes configuration a lot easier in general, and might prove useful, even on other linux distributions.
Prior art includes e.g. prometheus:
The text was updated successfully, but these errors were encountered: