feat: read HCLOUD_TOKEN from file (#617)

This allows the `HCLOUD_TOKEN` to be read from a file. This can be useful if the token is injected using secret injection (e.g. with the vault agent injector).
hetznercloud · Jun 24, 2024 · 4e1cd9d · 4e1cd9d
1 parent 0af98a6
commit 4e1cd9d
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/chart/templates/controller/deployment.yaml b/chart/templates/controller/deployment.yaml
@@ -152,6 +152,10 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: spec.nodeName
+            {{- if .Values.controller.hcloudToken.file }}
+            - name: HCLOUD_TOKEN_FILE
+              value: {{ .Values.controller.hcloudToken.file | quote }}
+            {{- else }}
             - name: HCLOUD_TOKEN
               valueFrom:
                 secretKeyRef:
@@ -162,6 +166,7 @@ spec:
                   name: {{ .Values.controller.hcloudToken.existingSecret.name }}
                   key: {{ .Values.controller.hcloudToken.existingSecret.key }}
                   {{- end }}
+            {{- end }}
             {{- if .Values.controller.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -139,11 +139,13 @@ controller:
   replicaCount: 1
 
   ## @param controller.hcloudToken.value  Specifies the value for the hcloudToken. Creates a secret from that value. If you have already a hcloud token secret leave this empty.
+  ## @param controller.hcloudToken.file Specifies the file path for the hcloudToken. The file must be provided externally (e.g. via secret agent injection). If you want to use a Kubernetes secret, leave this empty.
   ## @param controller.hcloudToken.existingSecret.name Specifies the name of an existing Secret for the hcloud Token
   ## @param controller.hcloudToken.existingSecret.key Specifies the key of an existing Secret for the hcloud Token
   ##
   hcloudToken:
     value: ""
+    file: ""
     existingSecret:
       name: hcloud
       key: token

diff --git a/internal/app/app.go b/internal/app/app.go
@@ -101,9 +101,19 @@ func CreateMetrics(logger log.Logger) *metrics.Metrics {
 
 // CreateHcloudClient creates a hcloud.Client using  various environment variables to guide configuration
 func CreateHcloudClient(metricsRegistry *prometheus.Registry, logger log.Logger) (*hcloud.Client, error) {
-	apiToken := os.Getenv("HCLOUD_TOKEN")
-	if apiToken == "" {
-		return nil, errors.New("you need to provide an API token via the HCLOUD_TOKEN env var")
+	// apiToken can be set via HCLOUD_TOKEN or HCLOUD_TOKEN_FILE
+	// HCLOUD_TOKEN is preferred
+	apiToken, ok := os.LookupEnv("HCLOUD_TOKEN")
+	if !ok {
+		filepath, ok := os.LookupEnv("HCLOUD_TOKEN_FILE")
+		if !ok {
+			return nil, fmt.Errorf("you need to provide an API token via the HCLOUD_TOKEN or HCLOUD_TOKEN_FILE env var")
+		}
+		apiTokenBytes, err := os.ReadFile(filepath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read HCLOUD_TOKEN_FILE: %w", err)
+		}
+		apiToken = strings.TrimSpace(string(apiTokenBytes))
 	}
 
 	if len(apiToken) != 64 {