Skip to content

Manage secrets outside of server_config.json#4633

Merged
bruntib merged 5 commits intoEricsson:masterfrom
barnabasdomozi:server_secrets
Aug 7, 2025
Merged

Manage secrets outside of server_config.json#4633
bruntib merged 5 commits intoEricsson:masterfrom
barnabasdomozi:server_secrets

Conversation

@barnabasdomozi
Copy link
Copy Markdown
Collaborator

@barnabasdomozi barnabasdomozi commented Jul 15, 2025

In this PR, I added an option to store secrets outside of server_config.json.

To use this feature, we can replace sensitive data with $SECRET:NAME_OF_SECRET$, then NAME_OF_SECRET will be read from a separate secrets.json file when we initially load server_config.json.
This change is also backward compatible (e.g., secrets can still be stored in server_config.json).

See the updated documentation in docs/web/server_config.md for more info.

@barnabasdomozi barnabasdomozi self-assigned this Jul 15, 2025
@barnabasdomozi barnabasdomozi added enhancement 🌟 documentation 📖 Changes to documentation. server 🖥️ config ⚙️ python Pull requests that update Python code (used by DependaBot) labels Jul 15, 2025
@barnabasdomozi barnabasdomozi marked this pull request as draft July 16, 2025 13:34
@barnabasdomozi barnabasdomozi marked this pull request as ready for review July 16, 2025 16:41
bruntib
bruntib approved these changes Jul 29, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@bruntib bruntib left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, fix the lint test, otherwise looks good to me.

Discookie
Discookie reviewed Jul 30, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@Discookie Discookie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can these secrets only be a string, or can they be arbitrary JSON data?
It seems that currently the secrets.json can store arbitrary data, while the environment variable cannot.

Not sure if loading arbitrary data is intentional, but it would be useful to offload eg. the entire dictionary-based auth dictionary into the secrets, instead of each individual password.
If it's not intentional, it should be checked against, when loading the secrets.json.

@Discookie
Copy link
Copy Markdown
Contributor

Discookie commented Jul 30, 2025
edited
Loading

(Similarly, there should be an appropriate error message on a nonexistent environment variable.)

@barnabasdomozi @bruntib
Fix minor styling issue in resolve_variables
8dd17bc 
Co-authored-by: bruntib <12861163+bruntib@users.noreply.github.com>
@barnabasdomozi
Copy link
Copy Markdown
Collaborator Author

barnabasdomozi commented Jul 30, 2025

@Discookie

Not sure if loading arbitrary data is intentional, but it would be useful to offload eg. the entire dictionary-based auth dictionary into the secrets, instead of each individual password.

It was initially designed for strings, but as you mentioned, it can be a useful feature so I think we can keep this as is.

(Similarly, there should be an appropriate error message on a nonexistent environment variable.)

Currently, the server prints the thrown exception message:

Variable '$ENV:FOO$' could not be resolved in server configuration file.

I think this explains that env variable FOO doesn't exist.

Discookie
Discookie approved these changes Jul 31, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@Discookie Discookie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be nice to have an example about secrets.json storing JSON structures in the docs, but otherwise LGTM.

@barnabasdomozi
Copy link
Copy Markdown
Collaborator Author

barnabasdomozi commented Aug 6, 2025

@Discookie @bruntib

It'd be nice to have an example about secrets.json storing JSON structures in the docs, but otherwise LGTM.

Also extended the docs with an example dictionary secret.

@bruntib bruntib mentioned this pull request Aug 7, 2025
Open
@bruntib bruntib merged commit 49a939a into Ericsson:master Aug 7, 2025
7 of 9 checks passed
@barnabasdomozi barnabasdomozi deleted the server_secrets branch August 12, 2025 13:07
bruntib added a commit that referenced this pull request Sep 19, 2025
@barnabasdomozi @bruntib
Manage secrets outside of server_config.json (#4633)
df22534 
* Manage secrets outside of server_config.json

* Also read secrets from environmental variables.

* Fix minor styling issue in resolve_variables

Co-authored-by: bruntib <12861163+bruntib@users.noreply.github.com>

* Fix lint test

* Extended docs with an example dictionary secret

---------

Co-authored-by: bruntib <12861163+bruntib@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bruntib bruntib bruntib approved these changes

@Discookie Discookie Discookie approved these changes

@dkrupp dkrupp Awaiting requested review from dkrupp dkrupp is a code owner

@vodorok vodorok Awaiting requested review from vodorok vodorok is a code owner

@gulyasgergely902 gulyasgergely902 Awaiting requested review from gulyasgergely902

Assignees

@barnabasdomozi barnabasdomozi

Labels

config ⚙️ documentation 📖 Changes to documentation. enhancement 🌟 python Pull requests that update Python code (used by DependaBot) server 🖥️

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@barnabasdomozi @Discookie @bruntib