From 656b8d42de2fc945c988094418c90d29d000be32 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 3 Feb 2023 15:27:39 +0100 Subject: secrets can be passed directly in config, as file, or as env --- doc/book/reference-manual/configuration.md | 40 ++++++++++++++++++------------ 1 file changed, 24 insertions(+), 16 deletions(-) (limited to 'doc/book/reference-manual') diff --git a/doc/book/reference-manual/configuration.md b/doc/book/reference-manual/configuration.md index 7a829836..b72c43a3 100644 --- a/doc/book/reference-manual/configuration.md +++ b/doc/book/reference-manual/configuration.md @@ -3,6 +3,8 @@ title = "Configuration file format" weight = 20 +++ +## Full example + Here is an example `garage.toml` configuration file that illustrates all of the possible options: ```toml @@ -259,17 +261,17 @@ Compression is done synchronously, setting a value too high will add latency to This value can be different between nodes, compression is done by the node which receive the API call. -### `rpc_secret` - -Garage uses a secret key that is shared between all nodes of the cluster -in order to identify these nodes and allow them to communicate together. -This key should be specified here in the form of a 32-byte hex-encoded -random string. Such a string can be generated with a command -such as `openssl rand -hex 32`. +### `rpc_secret`, `rpc_secret_file` or `GARAGE_RPC_SECRET` (env) -### `rpc_secret_file` +Garage uses a secret key, called an RPC secret, that is shared between all +nodes of the cluster in order to identify these nodes and allow them to +communicate together. The RPC secret is a 32-byte hex-encoded random string, +which can be generated with a command such as `openssl rand -hex 32`. -Like `rpc_secret` above, just that this is the path to a file that Garage will try to read the secret from. +The RPC secret should be specified in the `rpc_secret` configuration variable. +Since Garage v0.8.2, the RPC secret can also be stored in a file whose path is +given in the configuration variable `rpc_secret_file`, or specified as an +environment variable `GARAGE_RPC_SECRET`. ### `rpc_bind_addr` @@ -411,22 +413,28 @@ If specified, Garage will bind an HTTP server to this port and address, on which it will listen to requests for administration features. See [administration API reference](@/documentation/reference-manual/admin-api.md) to learn more about these features. -### `metrics_token` (since version 0.7.2) +### `metrics_token`, `metrics_token_file` or `GARAGE_METRICS_TOKEN` (env) -The token for accessing the Metrics endpoint. If this token is not set in -the config file, the Metrics endpoint can be accessed without access -control. +The token for accessing the Metrics endpoint. If this token is not set, the +Metrics endpoint can be accessed without access control. You can use any random string for this value. We recommend generating a random token with `openssl rand -hex 32`. -### `admin_token` (since version 0.7.2) +`metrics_token` was introduced in Garage version 0.7.2. +`metrics_token_file` and the `GARAGE_METRICS_TOKEN` environment variable are supported since Garage version 0.8.2. + + +### `admin_token`, `admin_token_file` or `GARAGE_ADMIN_TOKEN` (env) The token for accessing all of the other administration endpoints. If this -token is not set in the config file, access to these endpoints is disabled -entirely. +token is not set, access to these endpoints is disabled entirely. You can use any random string for this value. We recommend generating a random token with `openssl rand -hex 32`. +`admin_token` was introduced in Garage version 0.7.2. +`admin_token_file` and the `GARAGE_ADMIN_TOKEN` environment variable are supported since Garage version 0.8.2. + + ### `trace_sink` Optionally, the address of an OpenTelemetry collector. If specified, -- cgit v1.2.3