Add fields to load sensitive values from file (#7)

internal/app/job.go

@@ -5,9 +5,9 @@ import (
 	"time"
 
 	"github.com/crazy-max/diun/internal/model"
-	"github.com/crazy-max/diun/internal/utl"
 	"github.com/crazy-max/diun/pkg/docker"
 	"github.com/crazy-max/diun/pkg/docker/registry"
+	"github.com/crazy-max/diun/pkg/utl"
 	"github.com/rs/zerolog/log"
 )
 
@@ -23,11 +23,20 @@ func (di *Diun) createJob(job model.Job) {
 		sublog.Warn().Err(err).Msg("Registry options")
 	}
 
+	regUser, err := utl.GetSecret(regOpts.Username, regOpts.UsernameFile)
+	if err != nil {
+		log.Warn().Err(err).Msgf("Cannot retrieve username secret for regopts %s", job.Image.RegOptsID)
+	}
+	regPassword, err := utl.GetSecret(regOpts.Password, regOpts.PasswordFile)
+	if err != nil {
+		log.Warn().Err(err).Msgf("Cannot retrieve password secret for regopts %s", job.Image.RegOptsID)
+	}
+
 	job.Registry, err = docker.NewRegistryClient(docker.RegistryOptions{
 		Os:          job.Image.Os,
 		Arch:        job.Image.Arch,
-		Username:    regOpts.Username,
-		Password:    regOpts.Password,
+		Username:    regUser,
+		Password:    regPassword,
 		Timeout:     time.Duration(regOpts.Timeout) * time.Second,
 		InsecureTLS: regOpts.InsecureTLS,
 	})

internal/config/config.go

@@ -11,7 +11,7 @@ import (
 	"regexp"
 
 	"github.com/crazy-max/diun/internal/model"
-	"github.com/crazy-max/diun/internal/utl"
+	"github.com/crazy-max/diun/pkg/utl"
 	"github.com/imdario/mergo"
 	"github.com/rs/zerolog/log"
 	"gopkg.in/yaml.v2"
@@ -63,7 +63,8 @@ func Load(flags model.Flags, version string) (*Config, error) {
 			},
 		},
 		Providers: model.Providers{
-			Image: []model.PrdImage{},
+			Docker: []model.PrdDocker{},
+			Image:  []model.PrdImage{},
 		},
 	}
 

internal/config/config.test.yml

@@ -13,7 +13,9 @@ notif:
     ssl: false
     insecure_skip_verify: false
     username:
+    username_file:
     password:
+    password_file:
     from:
     to:
   webhook:
@@ -31,6 +33,9 @@ regopts:
   bintrayoptions:
     username: foo
     password: bar
+  sensitive:
+    username_file: /run/secrets/username
+    password_file: /run/secrets/password
 
 providers:
   docker:

internal/config/config_test.go

@@ -78,6 +78,10 @@ func TestLoad(t *testing.T) {
 						Username: "foo",
 						Password: "bar",
 					},
+					"sensitive": {
+						UsernameFile: "/run/secrets/username",
+						PasswordFile: "/run/secrets/password",
+					},
 				},
 				Providers: model.Providers{
 					Docker: []model.PrdDocker{

internal/model/mail.go

@@ -8,7 +8,9 @@ type Mail struct {
 	SSL                bool   `yaml:"ssl,omitempty"`
 	InsecureSkipVerify bool   `yaml:"insecure_skip_verify,omitempty"`
 	Username           string `yaml:"username,omitempty"`
+	UsernameFile       string `yaml:"username_file,omitempty"`
 	Password           string `yaml:"password,omitempty"`
+	PasswordFile       string `yaml:"password_file,omitempty"`
 	From               string `yaml:"from,omitempty"`
 	To                 string `yaml:"to,omitempty"`
 }

internal/model/regopts.go

@@ -2,8 +2,10 @@ package model
 
 // RegOpts holds registry options configuration
 type RegOpts struct {
-	Username    string `yaml:"username,omitempty" json:",omitempty"`
-	Password    string `yaml:"password,omitempty" json:",omitempty"`
-	InsecureTLS bool   `yaml:"insecure_tls,omitempty" json:",omitempty"`
-	Timeout     int    `yaml:"timeout,omitempty" json:",omitempty"`
+	Username     string `yaml:"username,omitempty" json:",omitempty"`
+	UsernameFile string `yaml:"username_file,omitempty" json:",omitempty"`
+	Password     string `yaml:"password,omitempty" json:",omitempty"`
+	PasswordFile string `yaml:"password_file,omitempty" json:",omitempty"`
+	InsecureTLS  bool   `yaml:"insecure_tls,omitempty" json:",omitempty"`
+	Timeout      int    `yaml:"timeout,omitempty" json:",omitempty"`
 }

internal/notif/mail/client.go

@@ -9,8 +9,10 @@ import (
 
 	"github.com/crazy-max/diun/internal/model"
 	"github.com/crazy-max/diun/internal/notif/notifier"
+	"github.com/crazy-max/diun/pkg/utl"
 	"github.com/go-gomail/gomail"
 	"github.com/matcornic/hermes/v2"
+	"github.com/rs/zerolog/log"
 )
 
 // Client represents an active mail notification object
@@ -105,11 +107,20 @@ Need help, or have questions? Go to https://github.com/crazy-max/diun and leave
 		}
 	}
 
+	username, err := utl.GetSecret(c.cfg.Username, c.cfg.UsernameFile)
+	if err != nil {
+		log.Warn().Err(err).Msg("Cannot retrieve username secret for mail notifier")
+	}
+	password, err := utl.GetSecret(c.cfg.Password, c.cfg.PasswordFile)
+	if err != nil {
+		log.Warn().Err(err).Msg("Cannot retrieve password secret for mail notifier")
+	}
+
 	dialer := &gomail.Dialer{
 		Host:      c.cfg.Host,
 		Port:      c.cfg.Port,
-		Username:  c.cfg.Username,
-		Password:  c.cfg.Password,
+		Username:  username,
+		Password:  password,
 		SSL:       c.cfg.SSL,
 		TLSConfig: tlsConfig,
 	}

pkg/docker/tags.go

@@ -2,8 +2,8 @@ package docker
 
 import (
 	"github.com/containers/image/docker"
-	"github.com/crazy-max/diun/internal/utl"
 	"github.com/crazy-max/diun/pkg/docker/registry"
+	"github.com/crazy-max/diun/pkg/utl"
 )
 
 type Tags struct {

pkg/utl/utl.go

@@ -1,6 +1,7 @@
 package utl
 
 import (
+	"io/ioutil"
 	"os"
 	"regexp"
 )
@@ -51,3 +52,17 @@ func GetEnv(key, fallback string) string {
 	}
 	return fallback
 }
+
+// GetSecret retrieves secret's value from plaintext or filename if defined
+func GetSecret(plaintext, filename string) (string, error) {
+	if plaintext != "" {
+		return plaintext, nil
+	} else if filename != "" {
+		b, err := ioutil.ReadFile(filename)
+		if err != nil {
+			return "", err
+		}
+		return string(b), nil
+	}
+	return "", nil
+}