fresh-borzoni opened a new issue, #3659: URL: https://github.com/apache/fluss/issues/3659
### Search before asking - [x] I searched in the [issues](https://github.com/apache/fluss/issues) and found nothing similar. ### Description Secrets in server.yaml (catalog OAuth creds, SASL passwords, object-store keys) can only be written as literals today. One secret makes the whole file sensitive: it can't be checked in or shipped as a plain K8s ConfigMap, and deployments end up rendering the entire config through init containers (envsubst) just to inject a single value. Kafka-style config providers looks nice here. A value can be an indirection marker resolved at load time: ``` config.providers: directory config.providers.directory.param.allowed.paths: /etc/fluss/secrets datalake.paimon.oauth.token: ${directory:/etc/fluss/secrets:oauth-token} ``` - ConfigProvider SPI + built-ins: directory (mounted K8s Secret volume), env (secretKeyRef), file (properties) - opt-in via config.providers, fail-fast on unknown providers/markers, mandatory allowed.paths guard for file-reading providers ### Willingness to contribute - [x] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
