Add environment variable support to header_injection auth #2574
+230
−14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds header_value_env field to header_injection authentication strategy,
enabling secrets to be resolved from environment variables at config load
time instead of hardcoded in YAML files.
Changes:
- Add header_value_env field to rawHeaderInjectionAuth struct
- Implement validation: exactly one of header_value or header_value_env required
- Update token_exchange and service_account to use env.Reader consistently
- Add 6 comprehensive test cases covering all edge cases
- Update documentation and examples to show both usage patterns
This follows the same pattern as token_exchange (client_secret_env) and
service_account (credentials_env) strategies. Environment variables are
resolved at config load time with fail-fast validation.
Backward compatible: existing header_value (literal) configurations
continue to work unchanged.
Example usage:
outgoing_auth:
backends:
github:
type: header_injection
header_injection:
header_name: "Authorization"
header_value_env: "GITHUB_API_TOKEN"
Fixes: #2573
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2574 +/- ##
==========================================
+ Coverage 55.00% 55.06% +0.05%
==========================================
Files 306 306
Lines 28978 28989 +11
==========================================
+ Hits 15940 15962 +22
+ Misses 11629 11611 -18
- Partials 1409 1416 +7 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
JAORMX
approved these changes
Nov 13, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds header_value_env field to header_injection authentication strategy, enabling secrets to be resolved from environment variables at config load time instead of hardcoded in YAML files.
Changes:
This follows the same pattern as token_exchange (client_secret_env) and service_account (credentials_env) strategies. Environment variables are resolved at config load time with fail-fast validation.
Backward compatible: existing header_value (literal) configurations continue to work unchanged.
Example usage:
outgoing_auth:
backends:
github:
type: header_injection
header_injection:
header_name: "Authorization"
header_value_env: "GITHUB_API_TOKEN"
Fixes: #2573