fix #741

irc/cloaks/cloaks.go

@@ -5,6 +5,7 @@ package cloaks
 import (
 	"fmt"
 	"net"
+	"os"
 
 	"golang.org/x/crypto/sha3"
 
@@ -12,12 +13,13 @@ import (
 )
 
 type CloakConfig struct {
-	Enabled     bool
-	Netname     string
-	Secret      string
-	CidrLenIPv4 int `yaml:"cidr-len-ipv4"`
-	CidrLenIPv6 int `yaml:"cidr-len-ipv6"`
-	NumBits     int `yaml:"num-bits"`
+	Enabled      bool
+	Netname      string
+	Secret       string
+	SecretEnvVar string `yaml:"secret-environment-variable"`
+	CidrLenIPv4  int    `yaml:"cidr-len-ipv4"`
+	CidrLenIPv6  int    `yaml:"cidr-len-ipv6"`
+	NumBits      int    `yaml:"num-bits"`
 
 	numBytes int
 	ipv4Mask net.IPMask
@@ -25,6 +27,13 @@ type CloakConfig struct {
 }
 
 func (cloakConfig *CloakConfig) Initialize() {
+	if cloakConfig.SecretEnvVar != "" {
+		envSecret := os.Getenv(cloakConfig.SecretEnvVar)
+		if envSecret != "" {
+			cloakConfig.Secret = envSecret
+		}
+	}
+
 	// sanity checks:
 	numBits := cloakConfig.NumBits
 	if 0 == numBits {

oragono.yaml

@@ -226,6 +226,10 @@ server:
         # note that rotating this key will invalidate all existing ban masks.
         secret: "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4"
 
+        # name of an environment variable to pull the secret from, for use with
+        # k8s secret distribution:
+        # secret-environment-variable: "ORAGONO_CLOAKING_SECRET"
+
         # the cloaked hostname is derived only from the CIDR (most significant bits
         # of the IP address), up to a configurable number of bits. this is the
         # granularity at which bans will take effect for IPv4. Note that changing