k8s HTTP retriever securely pass api key header

[tomflenner]

Hi 👋🏻 !

We have an Azure Function which is our HTTP Retriever and the endpoint is protected by an API Key.

This API Key is stored as sealed secret in our k8s cluster.

Is it possible to reference secret in the relayproxy.config for api key header ?

Thanks in advance 🙏🏻

[thomaspoignant]

Hello @tomflenner 👋 !
I am not super familiar with how sealed secret works but if you can use them as environment variables you can mount your API key in the HTTP header of your HTTP retriever inside the relay proxy.

I just did a test on my local environment and you can add an environment variable that looks like RETRIEVER_HEADERS_AUTHORIZATION=Bearer xxx when starting your container and the header will be added to every HTTP calls made by the HTTP retriever.

Would it work for your use case?

[tomflenner]

Hi 👋🏻 !

It seems to work for my use case.

Just for my knowledege, how this environment variable is use and read ? I assume that RETRIEVER_... will work If I use retriever in the configuration but what about using multiple retrievers ?

Just for my training on GOF, how this configuration file works ? Does it set all as environment variable or there is a specific configuration reader in source code ?

Thanks in advance and sorry if these questions came out of scope of this thread 🙏🏻

[thomaspoignant]

Just for my knowledege, how this environment variable is use and read ? I assume that RETRIEVER_... will work If I use retriever in the configuration but what about using multiple retrievers ?

For retrievers unfortunately, it will not work for now because we are using the koanf library and it does not support out-of-the-box patching arrays through env variables.
This is something where we can open an issue on GOFF repo too, so we can look at that at some point (#1841).

Just for my training on GOF, how this configuration file works ? Does it set all as environment variable or there is a specific configuration reader in source code ?

As mentioned on top we are using knadh/koanf to handle the configuration, and we are reading several locations pflags, file, env variables. If you are interested in digging into that please look here:

go-feature-flag/cmd/relayproxy/config/config.go

Lines 55 to 107 in e295dc4

	func New(flagSet *pflag.FlagSet, log *zap.Logger, version string) (*Config, error) {
	k.Delete("")
	// Default values
	_ = k.Load(confmap.Provider(map[string]interface{}{
	"listen": "1031",
	"host": "localhost",
	"fileFormat": "yaml",
	"restApiTimeout": 5000,
	"pollingInterval": 60000,
	}, "."), nil)
	// mapping command line parameters to koanf
	if errBindFlag := k.Load(posflag.Provider(flagSet, ".", k), nil); errBindFlag != nil {
	log.Fatal("impossible to parse flag command line", zap.Error(errBindFlag))
	}
	// Read config file
	configFileLocation, errFileLocation := locateConfigFile(k.String("config"))
	if errFileLocation != nil {
	log.Info("not using any configuration file", zap.Error(errFileLocation))
	} else {
	ext := filepath.Ext(configFileLocation)
	var parser koanf.Parser
	switch strings.ToLower(ext) {
	case ".toml":
	parser = toml.Parser()
	break
	case ".json":
	parser = json.Parser()
	break
	default:
	parser = yaml.Parser()
	}
	if errBindFile := k.Load(file.Provider(configFileLocation), parser); errBindFile != nil {
	log.Error("error loading file", zap.Error(errBindFile))
	}
	}
	// Map environment variables
	_ = k.Load(env.Provider("", ".", func(s string) string {
	return strings.ReplaceAll(strings.ToLower(s), "_", ".")
	}), nil)
	_ = k.Set("version", version)
	proxyConf := &Config{}
	errUnmarshal := k.Unmarshal("", &proxyConf)
	if errUnmarshal != nil {
	return nil, errUnmarshal
	}
	return proxyConf, nil

[tomflenner]

Thanks for all informations and for opening the issue #1841 !

Your workaround gonna be perfect for us atm since we will only use HTTP retriever (but maybe we will need to merge in future, it's YAGNI for us at this step of our POC)

I am gonna take a look into source code to see how it works !