Open michaelquigley opened 1 year ago
This issue sounds like it might encompass what I'm looking for in zrok: flexibility in defining controller and frontend configuration. For example, providing a function or env var that returns a secret value instead of hard-coding the plaintext secret in the config file. This mitigates a variety of attacks and enables graceful secret rotation, e.g. the admin token, the ziti admin pw.
This isn't a blocker to deployment because I can still templatize the config YAML files and re-declare their contents with a configuration management system like Helm or Ansible.
Use case example: let's say I like to keep my secrets in AWS Secrets Manager or Hashicorp Vault. If zrok allowed me to provide a function instead of the plaintext secret, then I could provide an executable function that returns the correct secret value. zrok would invoke the function whenever it needs to cache the secret in memory.
I'll leave this link in case it helps. I stumbled across Viper, a Go library for flexible configuration.
Is there any alternative to storing the admin secret and ziti mgmt password in the config file in 0.4?
My preference is to provide secrets to zrok as files, e.g.,
influx:
url: http://influxdb.zrok.svc
bucket: zrok
org: zrok
token_file: /var/run/secrets/zrok.io/influxdb.admin-token
Incorporate additional
zrok config
options to allow additional personalization and customization of environment behaviors.