pyroscope
pyroscope copied to clipboard
Reading environment variables in server configuration file
I am trying to deploy the pyroscope server to an App Engine instance in GCP with Google OAuth enabled. I would like to populate the server configuration file using environment variables like below but it does not work. If I populate the attributes using raw string, everything works well. I do not want to have the secrets in the server configuration file but rather want to set them as environment variables.
Am I missing something here? or do we have to paste the raw string into the environment variables? Would there be a way to set PYROSCOPE_AUTH
with all the details in my Dockerfile.
Note: I am setting the ENV variables in the Dockerfile to get things working locally, but when deploying I would set it in my app.yaml
FROM pyroscope/pyroscope:latest
COPY ./pyroscope-server.yml /tmp/pyroscope-server.yml
ENV PYROSCOPE_GOOGLE_CLIENT_ID="google-client-id"
ENV PYROSCOPE_GOOGLE_CLIENT_SECRET="google-client-secret"
ENV PYROSCOPE_ALLOWED_DOMAIN="whitelisted-domain.com"
ENV PYROSCOPE_API_BIND_ADDR=":8080"
ENV PYROSCOPE_CONFIG="/tmp/pyroscope-server.yml"
ENV PYROSCOPE_APPLICATION_NAME="pyroscope-test"
EXPOSE 8080
CMD ["server"]
---
# Add Google OAuth keys (THIS DOES NOT WORK)
auth:
google:
enabled: true
client-id: ${PYROSCOPE_GOOGLE_CLIENT_ID}
client-secret: ${PYROSCOPE_GOOGLE_CLIENT_SECRET}
allowed-domains:
- ${PYROSCOPE_ALLOWED_DOMAIN}
# Add Google OAuth keys (THIS WORKS)
auth:
google:
enabled: true
client-id: "google-client-id"
client-secret: "google-client-secret"
allowed-domains:
- "whitelisted-domain.com"
# Disables analytics.
analytics-opt-out: "false"
# Log level: debug|info|warn|error.
log-level: "info"
# Log level: debug|info|warn|error.
badger-log-level: "error"
# Directory where pyroscope stores profiling data.
storage-path: "/var/lib/pyroscope"
# Port for the HTTP server used for data ingestion and web UI.
# The App Engine front end will route incoming requests to the
# appropriate module on port 8080. Our application code must
# be listening on 8080
api-bind-addr: ":8080"
# Base URL for when the server is behind a reverse proxy with a different path.
base-url: ""
# Percentage of memory at which cache evictions start.
cache-evict-threshold: "0.25"
# Percentage of cache that is evicted per eviction run.
cache-evict-volume: "0.33"
# Indicates whether value log files should be truncated to delete corrupt data, if any.
badger-no-truncate: "false"
# Disables /debug/pprof route.
disable-pprof-endpoint: "false"
# Max number of nodes used when saving profiles to disk.
max-nodes-serialization: "2048"
# Max number of nodes used to display data on the frontend.
max-nodes-render: "8192"
# Please don't use, this will soon be deprecated.
hide-applications: []
# Sets the maximum amount of time the profiling data is stored for. Data before this threshold is deleted. Disabled by default.
retention: "0s"
Hi @raqib-hayder ,
- The way configuration works in pyroscope is for each configuration parameter it will look in 3 places:
- first the config file
- then environment variables
- then command line flags
So for example, if you have "log-level" set to "debug" in config, but then run pyroscope with PYROSCOPE_LOG_LEVEL=info, it will use info
log level. If you also add a command line argument and run pyroscope like this: pyroscope server -log-level=error
, it will set it to error
.
- There's no support for substitutions in the config file so that's why it doesn't work when you specify it like this:
auth:
google:
client-id: ${PYROSCOPE_GOOGLE_CLIENT_ID}
In this case it just treats it as a a string "${PYROSCOPE_GOOGLE_CLIENT_ID}"
- The last thing I'll say is that for environment variables and nested configuration you need to include the whole path to the parameter in the name. For example, for
client-id
here:
auth:
google:
client-id: client_id
the environment variable name becomes PYROSCOPE_AUTH_GOOGLE_CLIENT_ID
To summarize, I think if you just use the right environment variable names it should work just fine, e.g:
ENV PYROSCOPE_AUTH_GOOGLE_ENABLED="true"
ENV PYROSCOPE_AUTH_GOOGLE_CLIENT_ID="google-client-id"
ENV PYROSCOPE_AUTH_GOOGLE_CLIENT_SECRET="google-client-secret"
ENV PYROSCOPE_AUTH_GOOGLE_ALLOWED_DOMAINS="whitelisted-domain.com"
I hope this helps. Sorry about the confusion, we'll make sure to update docs to include information about these configuration parsing rules.
@petethepig: I should have figured it out (sorry about that) but thank you for clarifying. I think adding point 3
to the docs will help understanding the configuration parsing rules.
I made the appropriate changes and it works like a charm. Again, thank you for responding so promptly and clearly. 🙏🏽