Fix configuration with env vars #280
Conversation
| @@ -86,35 +86,9 @@ const ( | |||
| ViperKeyAuthenticatorUnauthorizedIsEnabled = "authenticators.unauthorized.enabled" | |||
| ) | |||
|
|
|||
| func BindEnvs() { | |||
| if err := viper.BindEnv( | |||
| ViperKeyProxyReadTimeout, | |||
There was a problem hiding this comment.
Removing these will have a detrimental effect. Viper does not automatically check environment variables. You have to bind them explicitly.
There was a problem hiding this comment.
Viper does not automatically check environment variables. You have to bind them explicitly.
Why not? It indeed loads envs automatically: https://github.com/spf13/viper/blob/master/viper.go#L1039
In hydra, everything works fine without any explicit bindings.
There was a problem hiding this comment.
Your analysis is unfortunately incorrect. In Hydra, we do not (yet) use JSON Schema to validate the config. However, validating against the Config JSON Schema requires all keys to be loaded. That's just the way Viper works (it is quirky).
There was a problem hiding this comment.
Sorry, I do not understand how we suppose to explicitly bind all keys, since most of them were recently removed for example in #258 . How do envs like AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_PRE_AUTHORIZATION_CLIENT_ID suppose to work?
(also related to the comment below about tests)
There was a problem hiding this comment.
While the keys have been removed as constants (because we don't explicitly need them any more - except for BindEnvs()) they are still being loaded using viper.Get(). However, I think it would be better to add a patch to our fork to automatically bind all envs when doing AutomaticEnv() instead of doing both AutomaticEnv() as well as BindEnv(). This is a known (and unsolved issue) in viper that has lead to some frustration (me included): spf13/viper#761 (and all linked issues).
Then, we can throw away BindEnvs() which - to be honest - sucks anyways.
There was a problem hiding this comment.
This however would need some thinking as _ can both be . as well as _. So we'd end up with a lot of keys when "autom-mounting" all environment keys. For example env var FOO_BAR could both be foo_bar as well as foo.bar. That would in turn cause issues when we set additionalProperties: false in the JSON Config Schema - which is not great because with that property set people would immediately find any typos they're doing. Maybe by defining some "categories" that always replace _ with . would be the way to go. Not sure yet, needs some thinking.
There was a problem hiding this comment.
Actually, I just found my original issue which touched this topic in 2016 :D spf13/viper#212
There was a problem hiding this comment.
Oh, I see, things getting complicated, combining viper behaviour and the introduction of json schemas.
If you come up with the idea how should we solve it, let me know.
I've pushed changes that make env vars work for defined keys (e.g. SERVE_PROXY_PORT), but envs like AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_PRE_AUTHORIZATION_CLIENT_ID still do not work. If you feel like we don't need this intermediary improvement, feel free to close this MR.
hypnoglow
force-pushed
the
fix-config-env
branch
from
d1968c3
to
03d7af1
Compare
|
@aeneasr Looks like a nice solution to the problem! Thanks |
Related issue
Proposed changes
Currently env vars do not work for any configuration property. One reason is because BindEnv is never called. The other thing that actually the usage of BindEnv is incorrect: this function DOES NOT accept multiple keys (see source for details). Even if BindEnv would be used correctly, it will not resolve env vars like
SERVE_PROXY_PORTbecause it does not replaces dots with underscores.This MR provides the same way of loading env vars as in hydra.
Checklist
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
developer guide (if appropriate)