search

openziti / zrok

Geo-scale, next-generation peer-to-peer sharing platform built on top of OpenZiti.
https://zrok.io
Apache License 2.0
2.5k stars 98 forks source link

Additional zrok config Options #224

Open michaelquigley opened 1 year ago

michaelquigley commented 1 year ago

Incorporate additional zrok config options to allow additional personalization and customization of environment behaviors.

qrkourier commented 1 year ago

This issue sounds like it might encompass what I'm looking for in zrok: flexibility in defining controller and frontend configuration. For example, providing a function or env var that returns a secret value instead of hard-coding the plaintext secret in the config file. This mitigates a variety of attacks and enables graceful secret rotation, e.g. the admin token, the ziti admin pw.

This isn't a blocker to deployment because I can still templatize the config YAML files and re-declare their contents with a configuration management system like Helm or Ansible.

Use case example: let's say I like to keep my secrets in AWS Secrets Manager or Hashicorp Vault. If zrok allowed me to provide a function instead of the plaintext secret, then I could provide an executable function that returns the correct secret value. zrok would invoke the function whenever it needs to cache the secret in memory.

qrkourier commented 1 year ago

I'll leave this link in case it helps. I stumbled across Viper, a Go library for flexible configuration.

qrkourier commented 1 year ago

Is there any alternative to storing the admin secret and ziti mgmt password in the config file in 0.4?

qrkourier commented 1 year ago

My preference is to provide secrets to zrok as files, e.g.,

      influx:
          url:            http://influxdb.zrok.svc
          bucket:         zrok
          org:            zrok
          token_file:     /var/run/secrets/zrok.io/influxdb.admin-token