diff --git a/clients/go/admin/config.go b/clients/go/admin/config.go index 511f94bf69..7da739a870 100644 --- a/clients/go/admin/config.go +++ b/clients/go/admin/config.go @@ -49,6 +49,7 @@ type Config struct { DeprecatedUseAuth bool `json:"useAuth" pflag:",Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information."` ClientID string `json:"clientId" pflag:",Client ID"` ClientSecretLocation string `json:"clientSecretLocation" pflag:",File containing the client secret"` + ClientSecretEnvVar string `json:"clientSecretEnvVar" pflag:",Environment variable containing the client secret"` Scopes []string `json:"scopes" pflag:",List of scopes to request"` // There are two ways to get the token URL. If the authorization server url is provided, the client will try to use RFC 8414 to diff --git a/clients/go/admin/config_flags.go b/clients/go/admin/config_flags.go index accf3e4017..173105e99e 100755 --- a/clients/go/admin/config_flags.go +++ b/clients/go/admin/config_flags.go @@ -62,6 +62,7 @@ func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet { cmdFlags.Bool(fmt.Sprintf("%v%v", prefix, "useAuth"), defaultConfig.DeprecatedUseAuth, "Deprecated: Auth will be enabled/disabled based on admin's dynamically discovered information.") cmdFlags.String(fmt.Sprintf("%v%v", prefix, "clientId"), defaultConfig.ClientID, "Client ID") cmdFlags.String(fmt.Sprintf("%v%v", prefix, "clientSecretLocation"), defaultConfig.ClientSecretLocation, "File containing the client secret") + cmdFlags.String(fmt.Sprintf("%v%v", prefix, "clientSecretEnvVar"), defaultConfig.ClientSecretEnvVar, "Environment variable containing the client secret") cmdFlags.StringSlice(fmt.Sprintf("%v%v", prefix, "scopes"), defaultConfig.Scopes, "List of scopes to request") cmdFlags.String(fmt.Sprintf("%v%v", prefix, "authorizationServerUrl"), defaultConfig.DeprecatedAuthorizationServerURL, "This is the URL to your IdP's authorization server. It'll default to Endpoint") cmdFlags.String(fmt.Sprintf("%v%v", prefix, "tokenUrl"), defaultConfig.TokenURL, "OPTIONAL: Your IdP's token endpoint. It'll be discovered from flyte admin's OAuth Metadata endpoint if not provided.") diff --git a/clients/go/admin/config_flags_test.go b/clients/go/admin/config_flags_test.go index a36c52d112..682886986a 100755 --- a/clients/go/admin/config_flags_test.go +++ b/clients/go/admin/config_flags_test.go @@ -267,6 +267,20 @@ func TestConfig_SetFlags(t *testing.T) { } }) }) + t.Run("Test_clientSecretEnvVar", func(t *testing.T) { + + t.Run("Override", func(t *testing.T) { + testValue := "1" + + cmdFlags.Set("clientSecretEnvVar", testValue) + if vString, err := cmdFlags.GetString("clientSecretEnvVar"); err == nil { + testDecodeJson_Config(t, fmt.Sprintf("%v", vString), &actual.ClientSecretEnvVar) + + } else { + assert.FailNow(t, err.Error()) + } + }) + }) t.Run("Test_scopes", func(t *testing.T) { t.Run("Override", func(t *testing.T) { diff --git a/clients/go/admin/token_source_provider.go b/clients/go/admin/token_source_provider.go index aab1f0948b..fd669e3f27 100644 --- a/clients/go/admin/token_source_provider.go +++ b/clients/go/admin/token_source_provider.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "io/ioutil" + "os" "strings" "sync" "time" @@ -134,14 +135,19 @@ type ClientCredentialsTokenSourceProvider struct { func NewClientCredentialsTokenSourceProvider(ctx context.Context, cfg *Config, clientMetadata *service.PublicClientAuthConfigResponse, tokenURL string) (TokenSourceProvider, error) { - - secretBytes, err := ioutil.ReadFile(cfg.ClientSecretLocation) - if err != nil { - logger.Errorf(ctx, "Error reading secret from location %s", cfg.ClientSecretLocation) - return nil, err + var secret string + if len(cfg.ClientSecretLocation) > 0 { + secretBytes, err := ioutil.ReadFile(cfg.ClientSecretLocation) + if err != nil { + logger.Errorf(ctx, "Error reading secret from location %s", cfg.ClientSecretLocation) + return nil, err + } + secret = string(secretBytes) + } else if len(cfg.ClientSecretEnvVar) > 0 { + secret = os.Getenv(cfg.ClientSecretEnvVar) } + secret = strings.TrimSpace(secret) - secret := strings.TrimSpace(string(secretBytes)) scopes := cfg.Scopes if len(scopes) == 0 { scopes = clientMetadata.Scopes