[Feature Request] enable docker secrets: Using files to provide credentials for basic mqtt authentication

[mikedolx]

Hi,

I have simple feature request: I would like to use files in the mqtt-exporter auth configuration, to be able to use mechanisms like docker secrets.

Here is an example mqtt-exporter.yml

mqtt:
  host: my-broker.com
  port: 1883
  auth:
    username: /path/to/myusernamefile
    password: /path/to/mypassword

As i already have the code checked out in my workspace due to another issue 🙄, i'd be able to do the change my self and push a PR to this repo.

Thanks and BR,
Michael

[fhemberger]

Hi Michael, sounds like a great idea! To make it easier to distinguish between a password and a password file, please name the auth parameter password_file. (Not sure if we need docker secret handling for the username. @poggenpower What do you think?)

[poggenpower]

Hi,

Sorry this will be a lengthy answer and may raise more questions than giving answers.

I don't like the idea if introducing new config keys like 'password_file'. Then I would prefer a merge of several files.
If we talk about reading config from different files, a generic approach could be attractive for several reasons.
e.g. my config is already pretty lengthy and a splitting this up would make it better manageable.
And the the question if only the pw or pw and user name is coming from an extra file is also possible.
The yamlreader mqtt_exporter is already able to merge several yaml files.
BUT: While verifying this I found out that this package is not maintained anymore, so not we should not develop new features based on it.

Coming from a Cloud Native/Kubernetes background environment variables are typically used to inject secrets at runtime.
Even on the "docker secrets" that @mikedolx has posted is setting environment variables. (To be honest even k8s is able to create files from a secret, means @mikedolx approach is not a nogo, I simply prefer ENV vars, because they don't persist on disks and almost every vault in this space is able to manage them.)

A "Quick Hack" would be to allow to set/overwrite password (and username) explicit. Thinking a little bit bigger, allowing to set/overwrite all mqtt connection via ENV vars would help e.g. to spin up a test/dev exporter without touching the config.
A very generic approach would be to allow everything to be overwritten/set by an ENV var. Then switching to an existing solution like https://confuse.readthedocs.io/en/latest/usage.html could worth to evaluate.

Implementation details in ENV var, I would suggest for going to something like
MQTT__AUTH__USERNAME=myuser is overwriting the part from the config. I would not go and allow ENV var to be replaced in the yaml file. Don't do:

mqtt:
  auth:
   username: $USERNAME

To your original question @fhemberger.
Password would be sufficient. If more Parameters then then whole MQTT connection config should be able to set/overwritten

Just my little more than 2 ct ;-)
Thomas

[fhemberger]

I'll happily accept a PR for password file support.