Merge pull request #118 from mvadu/add-secret-support

add support for reading mqtt password from file
hikhvar · Jan 30, 2023 · ed0c8bd · ed0c8bd
2 parents db6213e + 76aaeff
commit ed0c8bd
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 4 deletions.
diff --git a/Readme.md b/Readme.md
@@ -129,6 +129,8 @@ Usage of ./mqtt2prometheus:
         show the builds version, date and commit
   -web-config-file string
         [EXPERIMENTAL] Path to configuration file that can enable TLS or authentication for metric scraping.
+  -treat-mqtt-password-as-file-name bool (default: false)
+        treat MQTT2PROM_MQTT_PASSWORD environment variable as a secret file path e.g. /var/run/secrets/mqtt-credential. Useful when docker secret or external credential management agents handle the secret file. 
 ```
 The logging is implemented via [zap](https://github.com/uber-go/zap). The logs are printed to `stderr` and valid log levels are
 those supported by zap.  
@@ -267,6 +269,26 @@ Then load that file into the environment before starting the container:
   ghcr.io/hikhvar/mqtt2prometheus:latest
 ```
 
+#### Example use with Docker secret (in swarm)
+
+Create a docker secret to store the password(`mqtt-credential` in the example below), and pass the optional `treat-mqtt-password-as-file-name` command line argument.
+```docker
+  mqtt_exporter_tasmota:
+    image: ghcr.io/hikhvar/mqtt2prometheus:latest 
+    secrets:
+      - mqtt-credential 
+    environment:
+      - MQTT2PROM_MQTT_USER=mqtt
+      - MQTT2PROM_MQTT_PASSWORD=/var/run/secrets/mqtt-credential
+    entrypoint:
+      - /mqtt2prometheus
+      - -log-level=debug
+      - -treat-mqtt-password-as-file-name=true
+    volumes:
+        - config-tasmota.yml:/config.yaml:ro
+```
+
+
 
 ## Frequently Asked Questions
 

diff --git a/cmd/mqtt2prometheus.go b/cmd/mqtt2prometheus.go
@@ -64,6 +64,11 @@ var (
 		"",
 		"[EXPERIMENTAL] Path to configuration file that can enable TLS or authentication for metric scraping.",
 	)
+	usePasswordFromFile = flag.Bool(
+		"treat-mqtt-password-as-file-name",
+		false,
+		"treat MQTT2PROM_MQTT_PASSWORD as a secret file path e.g. /var/run/secrets/mqtt-credential",
+	)
 )
 
 func main() {
@@ -81,13 +86,24 @@ func main() {
 	}
 
 	mqtt_user := os.Getenv("MQTT2PROM_MQTT_USER")
-	mqtt_password := os.Getenv("MQTT2PROM_MQTT_PASSWORD")
-
 	if mqtt_user != "" {
 		cfg.MQTT.User = mqtt_user
 	}
-	if mqtt_password != "" {
-		cfg.MQTT.Password = mqtt_password
+
+	mqtt_password := os.Getenv("MQTT2PROM_MQTT_PASSWORD")
+	if *usePasswordFromFile {
+		if mqtt_password == "" {
+			logger.Fatal("MQTT2PROM_MQTT_PASSWORD is required")
+		}
+		secret, err := ioutil.ReadFile(mqtt_password)
+		if err != nil {
+			logger.Fatal("unable to read mqtt password from secret file", zap.Error(err))
+		}
+		cfg.MQTT.Password = string(secret)
+	} else {
+		if mqtt_password != "" {
+			cfg.MQTT.Password = mqtt_password
+		}
 	}
 
 	mqttClientOptions := mqtt.NewClientOptions()