fresh-borzoni opened a new issue, #3659:
URL: https://github.com/apache/fluss/issues/3659

   ### Search before asking
   
   - [x] I searched in the [issues](https://github.com/apache/fluss/issues) and 
found nothing similar.
   
   
   ### Description
   
   Secrets in server.yaml (catalog OAuth creds, SASL passwords, object-store 
keys) can only be written as literals today. One secret makes the whole file 
sensitive: it can't be checked in or shipped as a plain K8s ConfigMap, and 
deployments end up rendering the entire config through init containers 
(envsubst) just to inject a single value.
   
   Kafka-style config providers looks nice here. A value can be an indirection 
marker resolved at load time:
   ```
   config.providers: directory
   config.providers.directory.param.allowed.paths: /etc/fluss/secrets
   datalake.paimon.oauth.token: ${directory:/etc/fluss/secrets:oauth-token}
   ```
   
   - ConfigProvider SPI + built-ins: directory (mounted K8s Secret volume), env 
(secretKeyRef), file (properties)
   - opt-in via config.providers, fail-fast on unknown providers/markers, 
mandatory allowed.paths guard for file-reading providers
   
   ### Willingness to contribute
   
   - [x] I'm willing to submit a PR!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to