Skip to content

feat: supporting docker secrets#47

Merged
DeepSpace2 merged 2 commits into
masterfrom
feat-support-secrets
Jun 5, 2026
Merged

feat: supporting docker secrets#47
DeepSpace2 merged 2 commits into
masterfrom
feat-support-secrets

Conversation

@DeepSpace2

@DeepSpace2 DeepSpace2 commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • New Features

    • Added Docker Secrets support for supplying sensitive config values; env vars override secrets.
    • App now respects configured run interval for scheduled runs (zero = run once and exit).
  • Documentation

    • Updated configuration guide with Docker Secrets section, naming and precedence guidance, and notes on which variables can be supplied via secrets.
  • Validation

    • Configuration validation tightened; missing required credentials now reported at startup.
  • Tests

    • Added unit tests covering Docker Secrets and precedence.

@DeepSpace2 DeepSpace2 added the feature New feature label Jun 3, 2026
@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4b1405c1-6f47-4079-8193-9e7b2c654954

📥 Commits

Reviewing files that changed from the base of the PR and between 9b8157d and e08e686.

📒 Files selected for processing (3)
  • main.go
  • pkg/config/config.go
  • pkg/config/config_test.go
💤 Files with no reviewable changes (1)
  • pkg/config/config_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • main.go
  • pkg/config/config.go

📝 Walkthrough

Walkthrough

Adds Docker Secrets support: config.Get() reflectively reads secret files for fields tagged secret:"true", then parses env vars and validates config. Integrates changes into main and client initialization, updates tests for secret loading and precedence, and documents the new Docker Secrets usage.

Changes

Docker Secrets Configuration Implementation

Layer / File(s) Summary
Config loading and secrets infrastructure
pkg/config/config.go
Config struct fields for sensitive values are tagged with secret:"true". New Get() replaces GetEnvVars() and reflectively loads secrets from Docker secret files before parsing environment variables. getValueFromSecret() reads secret files with graceful missing-file handling. Validate() method extracted and updated to require NPM credentials unconditionally and Pi-hole/AdGuard Home credentials conditionally based on disabled flags.
Config tests for loading and validation
pkg/config/config_test.go
Existing environment-variable test rewritten to use new Get() path with test-driven environment setup. New test coverage added for Docker secret loading, secret/env precedence (env vars override), and validation failure scenarios. Reflection-based helpers iterate Config fields to create mock secret files for secret:"true" tagged fields.
Main function integration
main.go
Configuration loading switched from config.GetEnvVars() to config.Get() with error handling. Log level and runtime-interval logging now use the loaded config instance. Scheduled execution wiring updated to pass config.RunInterval.
Client initialization with config
pkg/clients/clients.go
GetClients parameter renamed from conf to config for consistency. Client creation for Pi-hole and AdGuard Home now conditionally occurs only when corresponding disabled flags are false. Docker hosts list initialization appends default host when empty.
Configuration documentation updates
docs/configuration.md
New "Docker Secrets" section describes secret file naming convention (must match environment variable names) and precedence (environment variables override Docker Secrets). Required variables table extended with Docker Secrets availability notes for AdGuard Home, Nginx Proxy Manager, and Pi-hole fields.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately describes the main feature: adding Docker Secrets support, which is reflected across all changed files including new configuration loading, validation, documentation, and comprehensive tests.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
pkg/config/config_test.go (1)

214-229: ⚡ Quick win

Add one positive assertion for host loading from secrets.

This test skips every *_HOST field by overriding them from env, so the suite never proves that host URLs actually load from Docker secrets even though that is part of the new contract.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/config/config_test.go` around lines 214 - 229, The test currently skips
host fields (envName "NGINX_PROXY_MANAGER_HOST" and "PIHOLE_HOST") so it never
verifies that host URL fields are loaded from secrets; update the loop in Test
(where cfgVal := reflect.ValueOf(config).Elem(), typ and field are used) to
include at least one positive assertion for a host field: when envName matches
one of the host keys, do not continue—compute expected :=
"secret-val-for-"+envName and assert.Equal(t, expected,
cfgVal.Field(i).String(), "Field %s was not loaded correctly from secret %s") so
the test proves host-loading from secrets (reference: cfgVal, typ, field.Tag,
envName, NGINX_PROXY_MANAGER_HOST, PIHOLE_HOST).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@main.go`:
- Around line 26-29: The startup error message in the main function is too
specific for what config.Get() now does. Update the log.Error call in the
config.Get() error path to use a broader message that reflects loading and
validating configuration from all supported sources, while still keeping the
existing "error", err structured field.

In `@pkg/config/config_test.go`:
- Around line 15-18: The test TestGetConfig_EnvVars (and other tests calling
Get()) is not isolated from ambient .env files because Get() calls
godotenv.Load(); before calling Get() change the current working directory to an
empty temp dir (e.g., use t.TempDir() and os.Chdir) so godotenv.Load() can't
read a checked-in .env and then restore the cwd in a defer; update tests that
call unsetAllConfigEnvVars(), dockerSecretRootPath, or Get() to perform this cwd
switch to ensure missing-variable cases are deterministic.

In `@pkg/config/config.go`:
- Line 54: The code currently calls strings.TrimSpace on the secret file content
(variable content) which strips all leading/trailing whitespace; change it to
only strip line endings so significant spaces in secrets are preserved—for
example replace the strings.TrimSpace(string(content)) usage on the return line
with a call that only removes "\n" and "\r" (e.g. using strings.TrimRight with
"\r\n" or equivalent) so leading/trailing spaces remain intact while Docker
newline characters are removed.

---

Nitpick comments:
In `@pkg/config/config_test.go`:
- Around line 214-229: The test currently skips host fields (envName
"NGINX_PROXY_MANAGER_HOST" and "PIHOLE_HOST") so it never verifies that host URL
fields are loaded from secrets; update the loop in Test (where cfgVal :=
reflect.ValueOf(config).Elem(), typ and field are used) to include at least one
positive assertion for a host field: when envName matches one of the host keys,
do not continue—compute expected := "secret-val-for-"+envName and
assert.Equal(t, expected, cfgVal.Field(i).String(), "Field %s was not loaded
correctly from secret %s") so the test proves host-loading from secrets
(reference: cfgVal, typ, field.Tag, envName, NGINX_PROXY_MANAGER_HOST,
PIHOLE_HOST).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4d4582aa-6af4-448a-bb02-a45f4fe99997

📥 Commits

Reviewing files that changed from the base of the PR and between 4553303 and 9b8157d.

📒 Files selected for processing (5)
  • docs/configuration.md
  • main.go
  • pkg/clients/clients.go
  • pkg/config/config.go
  • pkg/config/config_test.go

Comment thread main.go
Comment thread pkg/config/config_test.go
Comment thread pkg/config/config.go Outdated
@DeepSpace2 DeepSpace2 merged commit 7c93334 into master Jun 5, 2026
8 checks passed
@DeepSpace2 DeepSpace2 deleted the feat-support-secrets branch June 5, 2026 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feature New feature

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant