feat(2b): config hardening — .env, password_file, SIGHUP + rename-safe watcher#2
Conversation
Three TDD tasks: godotenv .env loading (before ${VAR} interpolation, never
overriding real env); per-host password_file secrets; SIGHUP reload + a
rename-safe file watcher (folds upstream mrlhansen#148's fsnotify.Rename handling
cleanly — bounded re-add, no goroutine-leaking recursion).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add LoadDotEnv() to internal/config that uses godotenv.Load (never
Overload) to read .env from cwd and the config file's directory before
os.ExpandEnv runs in FromFile, so ${VAR} references resolve from .env
without ever overriding real environment variables. Wire it in main.go
immediately before LoadConfig.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Read a secret from a file at config validation time so that passwords can be injected via Kubernetes secrets or similar mechanisms without embedding them in YAML. Trailing whitespace is trimmed. An unreadable file is a hard error (fail-fast). Covered by two new unit tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add SIGHUP signal handler (signals.go) that reloads configuration on SIGHUP for the process lifetime. Rewrite WatchConfig event loop to handle editor atomic-save patterns (rename/replace) via shouldReload and bounded readd helpers, with burst deduplication. Add TestShouldReload unit test for the pure shouldReload predicate. Move the Collect/Event struct assignments inside ReloadConfig's mutex to close the writer-writer race now that two live goroutines (WatchConfig and handleSignals) can both call ReloadConfig concurrently. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 8 minutes and 25 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (11)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Phase 2b — Config Hardening
Adds
.envloading, file-backed secrets, and robust reload triggers without changing any metric output. Implements all of Phase 2 spec §2b (plan).What's in it
.envloading (5f922fc) —config.LoadDotEnvruns before${VAR}interpolation so config references resolve. Usesjoho/godotenv, which never overrides already-set env vars (real secret injection always wins).password_filesecrets (c2077de) — per-host/authspassword_file:read at validate time and trimmed; wins over inlinepassword. Re-read on every reload, so secret rotation is picked up without a restart.488f965) —kill -HUPtriggers a reload; the fsnotify watcher now handlesRename/Remove(editor atomic-save) with a bounded re-add. Deliberately avoids upstream PR Improve config file watcher resilience mrlhansen/idrac_exporter#148's goroutine-leaking recursion and per-event sleep.Contract-neutrality
internal/collectoris byte-for-byte unchanged — metric output is unaffected.go.modadds onlygithub.com/joho/godotenv v1.5.1(no errgroup/resty/OTLP scope creep).Verification
gofmt -l .clean,go vet ./...cleango test -race ./...→ 9 pass across 5 packagesgolangci-lint run ./...→ 0 issuesgovulncheck ./...→ no vulnerabilitiesKnown follow-ups (pre-existing, out of scope)
config.Config.Collect/.Eventread withoutConfig.Mutexininternal/collector— wants aConfig.Snapshot()accessor.🤖 Generated with Claude Code