secrets can be passed directly in config, as file, or as env

3 files changed, 48 insertions, 11 deletions

diff --git a/src/garage/main.rs b/src/garage/main.rs
index 736e11ec..2bd0164e 100644
--- a/src/garage/main.rs
+++ b/src/garage/main.rs
@@ -25,6 +25,7 @@ use structopt::StructOpt;
 use netapp::util::parse_and_resolve_peer_addr;
 use netapp::NetworkKey;
 
+use garage_util::config::Config;
 use garage_util::error::*;
 
 use garage_rpc::system::*;
@@ -46,11 +47,10 @@ struct Opt {
 	#[structopt(short = "h", long = "rpc-host", env = "GARAGE_RPC_HOST")]
 	pub rpc_host: Option<String>,
 
-	/// RPC secret network key for admin operations
-	#[structopt(short = "s", long = "rpc-secret", env = "GARAGE_RPC_SECRET")]
-	pub rpc_secret: Option<String>,
+	#[structopt(flatten)]
+	pub secrets: Secrets,
 
-	/// Configuration file (garage.toml)
+	/// Path to configuration file
 	#[structopt(
 		short = "c",
 		long = "config",
@@ -63,6 +63,23 @@ struct Opt {
 	cmd: Command,
 }
 
+#[derive(StructOpt, Debug)]
+pub struct Secrets {
+	/// RPC secret network key, used to replace rpc_secret in config.toml when running the daemon or doing admin operations
+	#[structopt(short = "s", long = "rpc-secret", env = "GARAGE_RPC_SECRET")]
+	pub rpc_secret: Option<String>,
+
+	/// Metrics API authentication token, replaces admin.metrics_token in config.toml when
+	/// running the Garage daemon
+	#[structopt(long = "admin-token", env = "GARAGE_ADMIN_TOKEN")]
+	pub admin_token: Option<String>,
+
+	/// Metrics API authentication token, replaces admin.metrics_token in config.toml when
+	/// running the Garage daemon
+	#[structopt(long = "metrics-token", env = "GARAGE_METRICS_TOKEN")]
+	pub metrics_token: Option<String>,
+}
+
 #[tokio::main]
 async fn main() {
 	// Initialize version and features info
@@ -145,9 +162,9 @@ async fn main() {
 	sodiumoxide::init().expect("Unable to init sodiumoxide");
 
 	let res = match opt.cmd {
-		Command::Server => server::run_server(opt.config_file).await,
+		Command::Server => server::run_server(opt.config_file, opt.secrets).await,
 		Command::OfflineRepair(repair_opt) => {
-			repair::offline::offline_repair(opt.config_file, repair_opt).await
+			repair::offline::offline_repair(opt.config_file, opt.secrets, repair_opt).await
 		}
 		Command::Node(NodeOperation::NodeId(node_id_opt)) => {
 			node_id_command(opt.config_file, node_id_opt.quiet)
@@ -162,7 +179,7 @@ async fn main() {
 }
 
 async fn cli_command(opt: Opt) -> Result<(), Error> {
-	let config = if opt.rpc_secret.is_none() || opt.rpc_host.is_none() {
+	let config = if opt.secrets.rpc_secret.is_none() || opt.rpc_host.is_none() {
 		Some(garage_util::config::read_config(opt.config_file.clone())
 			.err_context(format!("Unable to read configuration file {}. Configuration file is needed because -h or -s is not provided on the command line.", opt.config_file.to_string_lossy()))?)
 	} else {
@@ -171,6 +188,7 @@ async fn cli_command(opt: Opt) -> Result<(), Error> {
 
 	// Find and parse network RPC secret
 	let net_key_hex_str = opt
+		.secrets
 		.rpc_secret
 		.as_ref()
 		.or_else(|| config.as_ref().and_then(|c| c.rpc_secret.as_ref()))
@@ -230,3 +248,16 @@ async fn cli_command(opt: Opt) -> Result<(), Error> {
 		Ok(x) => Ok(x),
 	}
 }
+
+fn fill_secrets(mut config: Config, secrets: Secrets) -> Config {
+	if secrets.rpc_secret.is_some() {
+		config.rpc_secret = secrets.rpc_secret;
+	}
+	if secrets.admin_token.is_some() {
+		config.admin.admin_token = secrets.admin_token;
+	}
+	if secrets.metrics_token.is_some() {
+		config.admin.metrics_token = secrets.metrics_token;
+	}
+	config
+}
diff --git a/src/garage/repair/offline.rs b/src/garage/repair/offline.rs
index 25193e4a..f4edcf03 100644
--- a/src/garage/repair/offline.rs
+++ b/src/garage/repair/offline.rs
@@ -6,8 +6,13 @@ use garage_util::error::*;
 use garage_model::garage::Garage;
 
 use crate::cli::structs::*;
+use crate::{fill_secrets, Secrets};
 
-pub async fn offline_repair(config_file: PathBuf, opt: OfflineRepairOpt) -> Result<(), Error> {
+pub async fn offline_repair(
+	config_file: PathBuf,
+	secrets: Secrets,
+	opt: OfflineRepairOpt,
+) -> Result<(), Error> {
 	if !opt.yes {
 		return Err(Error::Message(
 			"Please add the --yes flag to launch repair operation".into(),
@@ -15,7 +20,7 @@ pub async fn offline_repair(config_file: PathBuf, opt: OfflineRepairOpt) -> Resu
 	}
 
 	info!("Loading configuration...");
-	let config = read_config(config_file)?;
+	let config = fill_secrets(read_config(config_file)?, secrets);
 
 	info!("Initializing Garage main data store...");
 	let garage = Garage::new(config)?;
diff --git a/src/garage/server.rs b/src/garage/server.rs
index 16f1b625..958089c6 100644
--- a/src/garage/server.rs
+++ b/src/garage/server.rs
@@ -17,6 +17,7 @@ use garage_api::k2v::api_server::K2VApiServer;
 use crate::admin::*;
 #[cfg(feature = "telemetry-otlp")]
 use crate::tracing_setup::*;
+use crate::{fill_secrets, Secrets};
 
 async fn wait_from(mut chan: watch::Receiver<bool>) {
 	while !*chan.borrow() {
@@ -26,9 +27,9 @@ async fn wait_from(mut chan: watch::Receiver<bool>) {
 	}
 }
 
-pub async fn run_server(config_file: PathBuf) -> Result<(), Error> {
+pub async fn run_server(config_file: PathBuf, secrets: Secrets) -> Result<(), Error> {
 	info!("Loading configuration...");
-	let config = read_config(config_file)?;
+	let config = fill_secrets(read_config(config_file)?, secrets);
 
 	// ---- Initialize Garage internals ----