pyroscope icon indicating copy to clipboard operation
pyroscope copied to clipboard

Published 20 hours ago verified publisher icon grafana

Reading environment variables in server configuration file

Open raqibhayder opened this issue 2 years ago • 2 comments

I am trying to deploy the pyroscope server to an App Engine instance in GCP with Google OAuth enabled. I would like to populate the server configuration file using environment variables like below but it does not work. If I populate the attributes using raw string, everything works well. I do not want to have the secrets in the server configuration file but rather want to set them as environment variables.

Am I missing something here? or do we have to paste the raw string into the environment variables? Would there be a way to set PYROSCOPE_AUTH with all the details in my Dockerfile.

Note: I am setting the ENV variables in the Dockerfile to get things working locally, but when deploying I would set it in my app.yaml

FROM pyroscope/pyroscope:latest

COPY ./pyroscope-server.yml /tmp/pyroscope-server.yml

ENV PYROSCOPE_GOOGLE_CLIENT_ID="google-client-id"
ENV PYROSCOPE_GOOGLE_CLIENT_SECRET="google-client-secret"
ENV PYROSCOPE_ALLOWED_DOMAIN="whitelisted-domain.com"
ENV PYROSCOPE_API_BIND_ADDR=":8080"
ENV PYROSCOPE_CONFIG="/tmp/pyroscope-server.yml"
ENV PYROSCOPE_APPLICATION_NAME="pyroscope-test"

EXPOSE 8080

CMD ["server"]

---
# Add Google OAuth keys (THIS DOES NOT WORK)
auth:
  google:
    enabled: true
    client-id: ${PYROSCOPE_GOOGLE_CLIENT_ID}
    client-secret: ${PYROSCOPE_GOOGLE_CLIENT_SECRET}
    allowed-domains:
      - ${PYROSCOPE_ALLOWED_DOMAIN}

# Add Google OAuth keys (THIS WORKS)
auth:
  google:
    enabled: true
    client-id: "google-client-id"
    client-secret: "google-client-secret"
    allowed-domains:
      - "whitelisted-domain.com"

# Disables analytics.
analytics-opt-out: "false"

# Log level: debug|info|warn|error.
log-level: "info"

# Log level: debug|info|warn|error.
badger-log-level: "error"

# Directory where pyroscope stores profiling data.
storage-path: "/var/lib/pyroscope"

# Port for the HTTP server used for data ingestion and web UI.
# The App Engine front end will route incoming requests to the 
# appropriate module on port 8080. Our application code must
# be listening on 8080
api-bind-addr: ":8080"

# Base URL for when the server is behind a reverse proxy with a different path.
base-url: ""

# Percentage of memory at which cache evictions start.
cache-evict-threshold: "0.25"

# Percentage of cache that is evicted per eviction run.
cache-evict-volume: "0.33"

# Indicates whether value log files should be truncated to delete corrupt data, if any.
badger-no-truncate: "false"

# Disables /debug/pprof route.
disable-pprof-endpoint: "false"

# Max number of nodes used when saving profiles to disk.
max-nodes-serialization: "2048"

# Max number of nodes used to display data on the frontend.
max-nodes-render: "8192"

# Please don't use, this will soon be deprecated.
hide-applications: []

# Sets the maximum amount of time the profiling data is stored for. Data before this threshold is deleted. Disabled by default.
retention: "0s"

raqibhayder avatar Oct 07 '21 23:10 raqibhayder

Hi @raqib-hayder ,

  1. The way configuration works in pyroscope is for each configuration parameter it will look in 3 places:
  • first the config file
  • then environment variables
  • then command line flags

So for example, if you have "log-level" set to "debug" in config, but then run pyroscope with PYROSCOPE_LOG_LEVEL=info, it will use info log level. If you also add a command line argument and run pyroscope like this: pyroscope server -log-level=error, it will set it to error.

  1. There's no support for substitutions in the config file so that's why it doesn't work when you specify it like this:
auth:
  google:
    client-id: ${PYROSCOPE_GOOGLE_CLIENT_ID}

In this case it just treats it as a a string "${PYROSCOPE_GOOGLE_CLIENT_ID}"

  1. The last thing I'll say is that for environment variables and nested configuration you need to include the whole path to the parameter in the name. For example, for client-id here:
auth:
  google:
    client-id: client_id

the environment variable name becomes PYROSCOPE_AUTH_GOOGLE_CLIENT_ID

To summarize, I think if you just use the right environment variable names it should work just fine, e.g:

ENV PYROSCOPE_AUTH_GOOGLE_ENABLED="true"
ENV PYROSCOPE_AUTH_GOOGLE_CLIENT_ID="google-client-id"
ENV PYROSCOPE_AUTH_GOOGLE_CLIENT_SECRET="google-client-secret"
ENV PYROSCOPE_AUTH_GOOGLE_ALLOWED_DOMAINS="whitelisted-domain.com"

I hope this helps. Sorry about the confusion, we'll make sure to update docs to include information about these configuration parsing rules.

petethepig avatar Oct 08 '21 01:10 petethepig

@petethepig: I should have figured it out (sorry about that) but thank you for clarifying. I think adding point 3 to the docs will help understanding the configuration parsing rules.

I made the appropriate changes and it works like a charm. Again, thank you for responding so promptly and clearly. 🙏🏽

raqibhayder avatar Oct 08 '21 02:10 raqibhayder