Don't expose API Keys on stdout

[sleeping-barber]

Hi,
I just saw the following line and it made me concern about security:

github-weather/main.go

Line 64 in 86166c0

if owmAPIKey == "" || githubAPIToken == "" {

Is it really a good idea to expose these values, a simple message that one of the needed keys wasn't provided or better mention the specific missing key would be IMHO a nice approach to the user.

What was the reason to expose this values?

Cheers!

[narqo]

I think with the current implementation logging isn't the only concern. The app accepts the keys via CLI flags. This is enough to leak the keys as they will be seen in ps output on the host.

A better approach would be to read the keys from a secrets file.

[sleeping-barber]

True. Looking at the manifest file, I already see that Secret resources are setup, maybe even a simple old-school os.GetEnv would be a first step.

Just out of interest, what of benefits do secret files give us?

Cheers!

[narqo]

Process's environment variables can be observed from the outside either by looking at /proc/<pid>/environ or with ps ae.

Reading the secrets from a secrets file allows restricting the access to the file with OS level permissions.

[narqo]

As commented in #6 this isn't 100% fixed yet. I'll address it later.