Skip to content

Allow secrets to be provided from a file or environment variable#5177

Merged
sisuresh merged 2 commits intostellar:masterfrom
sisuresh:secrets
Apr 1, 2026
Merged

Allow secrets to be provided from a file or environment variable#5177
sisuresh merged 2 commits intostellar:masterfrom
sisuresh:secrets

Conversation

@sisuresh
Copy link
Copy Markdown
Contributor

@sisuresh sisuresh commented Mar 12, 2026

Description

Resolves #1316

Checklist

  • Reviewed the contributing document
  • Rebased on top of master (no merge commits)
  • Ran clang-format v8.0.0 (via make format or the Visual Studio extension)
  • Compiles
  • Ran all tests
  • If change impacts performance, include supporting evidence per the performance document

@sisuresh sisuresh requested a review from jacekn March 12, 2026 20:05
sisuresh
sisuresh commented Mar 12, 2026
View reviewed changes
@sisuresh sisuresh force-pushed the secrets branch 2 times, most recently from 693a0d1 to 87cb7bc Compare March 13, 2026 18:23
@sisuresh sisuresh marked this pull request as ready for review March 14, 2026 00:19
Copilot AI review requested due to automatic review settings March 14, 2026 00:19
Copilot AI reviewed Mar 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for resolving sensitive config values (currently NODE_SEED) from external secret sources, primarily via $FILE: references, and documents / tests the behavior.

Changes:

  • Introduce util/SecretManager for resolving $FILE:-prefixed config values with permission checks and whitespace trimming.
  • Update config parsing to allow NODE_SEED to be read from a $FILE: reference and reject such references on public network config.
  • Add unit tests and update the example config documentation for $FILE: usage.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
src/util/SecretManager.h New API for resolving config secrets (e.g., $FILE:).
src/util/SecretManager.cpp Implements file-based secret resolution and permission validation.
src/main/Config.cpp Uses SecretManager when parsing NODE_SEED; rejects external secrets on pubnet.
src/main/test/ConfigTests.cpp Adds tests for secret resolution and config integration.
docs/stellar-core_example.cfg Documents $FILE: usage for NODE_SEED.

You can also share your feedback on Copilot code review. Take the survey.

@sisuresh sisuresh requested a review from dmkozh March 31, 2026 20:31
@sisuresh sisuresh enabled auto-merge April 1, 2026 18:33
@sisuresh sisuresh closed this Apr 1, 2026
auto-merge was automatically disabled April 1, 2026 20:43

Pull request was closed

@sisuresh sisuresh reopened this Apr 1, 2026
@sisuresh sisuresh enabled auto-merge April 1, 2026 20:44
@sisuresh sisuresh added this pull request to the merge queue Apr 1, 2026
Merged via the queue into stellar:master with commit cd625ad Apr 1, 2026
77 of 89 checks passed
@sisuresh sisuresh deleted the secrets branch April 1, 2026 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@marta-lokhova marta-lokhova marta-lokhova approved these changes

@dmkozh dmkozh dmkozh approved these changes

@jacekn jacekn Awaiting requested review from jacekn

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Move secrets out of the config file

5 participants

@sisuresh @jacekn @marta-lokhova @dmkozh