feat(config): support environment variables in check specs

Author: pixel365

README.md

@@ -62,7 +62,7 @@ Example configuration files are available in:
 Validate configuration with:
 
 ```bash
-CONFIG_DIR=./examples go run ./cmd/pulse-validate
+API_HTTP_AUTH_TOKEN=dev-token API_HTTP_CUSTOM_HEADER=dev-value CONFIG_DIR=./examples go run ./cmd/pulse-validate
 ```
 
 Before starting the app, apply migrations:
@@ -74,7 +74,7 @@ go run ./cmd/pulse-migrate up
 Run with:
 
 ```bash
-CONFIG_DIR=./examples go run ./cmd/pulse
+API_HTTP_AUTH_TOKEN=dev-token API_HTTP_CUSTOM_HEADER=dev-value CONFIG_DIR=./examples go run ./cmd/pulse
 ```
 
 Run API with:
@@ -83,6 +83,15 @@ Run API with:
 API_LISTEN_ADDR=:8080 INTERNAL_API_ENABLED=true CONFIG_DIR=./examples go run ./cmd/pulse-api
 ```
 
+Check `spec` values may reference environment variables with `${VAR_NAME}` syntax:
+
+```yaml
+headers:
+  Authorization: "Bearer ${API_HTTP_AUTH_TOKEN}"
+```
+
+Referenced variables must be present when the configuration is loaded. Values are resolved at check execution time and are not written back into the loaded config snapshot.
+
 The API process has separate internal and public route groups.
 Both are disabled by default and must be enabled explicitly:
 

examples/checks/api-checks.yaml

@@ -12,16 +12,16 @@ checks:
     allowed_buckets: [ minute, hour ]
     status_impact: critical
     spec:
-      url: http://localhost:8080
-      method: GET
+      url: "${API_HTTP_URL}"
+      method: "${API_HTTP_METHOD}"
       headers:
         Accept: application/json
         Content-Type: application/json
-        Authorization: Bearer xxx
-        X-Custom-Header: yyy
+        Authorization: "Bearer ${API_HTTP_AUTH_TOKEN}"
+        X-Custom-Header: "${API_HTTP_CUSTOM_HEADER}"
       payload:
-        key1: value1
-        key2: value2
+        key1: "${API_HTTP_PAYLOAD_KEY1}"
+        key2: "${API_HTTP_PAYLOAD_KEY2}"
       follow_redirects: true
       success_codes: [ 200 ]
       expected_body:

internal/checker/dns/request.go

@@ -18,14 +18,19 @@ func (c *Checker) request(ctx context.Context) error {
 	ctx, cancel := context.WithTimeout(ctx, c.config.Timeout)
 	defer cancel()
 
+	spec, err := config.ResolveDNSSpecEnv(c.config.Spec)
+	if err != nil {
+		return e.NewError(e.ErrInternal, fmt.Sprintf("could not resolve dns spec: %v", err))
+	}
+
 	req := new(mdns.Msg)
 	req.SetQuestion(
-		mdns.Fqdn(c.config.Spec.Name),
-		recordTypeToQType(c.config.Spec.RecordType),
+		mdns.Fqdn(spec.Name),
+		recordTypeToQType(spec.RecordType),
 	)
 	req.RecursionDesired = true
 
-	server, err := resolveServer(c.config.Spec.Server)
+	server, err := resolveServer(spec.Server)
 	if err != nil {
 		return fmt.Errorf("could not resolve dns server: %w", err)
 	}
@@ -46,19 +51,19 @@ func (c *Checker) request(ctx context.Context) error {
 		)
 	}
 
-	values, err := collectAnswers(res.Answer, c.config.Spec.RecordType)
+	values, err := collectAnswers(res.Answer, spec.RecordType)
 	if err != nil {
 		return err
 	}
 
 	if len(values) == 0 {
 		return e.NewError(
 			e.ErrConstraint,
-			fmt.Sprintf("no %s records found for %s", c.config.Spec.RecordType, c.config.Spec.Name),
+			fmt.Sprintf("no %s records found for %s", spec.RecordType, spec.Name),
 		)
 	}
 
-	if err = checkAnswers(c.config.Spec.Expect, c.config.Spec.RecordType, values); err != nil {
+	if err = checkAnswers(spec.Expect, spec.RecordType, values); err != nil {
 		return err
 	}
 

internal/checker/grpc/request.go

@@ -10,14 +10,20 @@ import (
 	healthpb "google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/metadata"
 
+	"github.com/pixel365/pulse/internal/config"
 	"github.com/pixel365/pulse/internal/e"
 )
 
 func (c *Checker) request(ctx context.Context) error {
 	ctx, cancel := context.WithTimeout(ctx, c.config.Timeout)
 	defer cancel()
 
-	address := net.JoinHostPort(c.config.Spec.Host, fmt.Sprint(c.config.Spec.Port))
+	spec, err := config.ResolveGRPCSpecEnv(c.config.Spec)
+	if err != nil {
+		return e.NewError(e.ErrInternal, fmt.Sprintf("could not resolve grpc spec: %v", err))
+	}
+
+	address := net.JoinHostPort(spec.Host, fmt.Sprint(spec.Port))
 	conn, err := grpc.NewClient(
 		address,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
@@ -33,13 +39,13 @@ func (c *Checker) request(ctx context.Context) error {
 		_ = conn.Close()
 	}()
 
-	if len(c.config.Spec.Metadata) > 0 {
-		ctx = metadata.NewOutgoingContext(ctx, metadata.New(c.config.Spec.Metadata))
+	if len(spec.Metadata) > 0 {
+		ctx = metadata.NewOutgoingContext(ctx, metadata.New(spec.Metadata))
 	}
 
 	service := ""
-	if c.config.Spec.Request != nil {
-		service = c.config.Spec.Request.Service
+	if spec.Request != nil {
+		service = spec.Request.Service
 	}
 
 	client := healthpb.NewHealthClient(conn)
@@ -50,12 +56,12 @@ func (c *Checker) request(ctx context.Context) error {
 		return fmt.Errorf("could not execute grpc health check: %w", err)
 	}
 
-	if got := resp.GetStatus().String(); got != string(c.config.Spec.ExpectedHealthStatus) {
+	if got := resp.GetStatus().String(); got != string(spec.ExpectedHealthStatus) {
 		return e.NewError(
 			e.ErrConstraint,
 			fmt.Sprintf(
 				"unexpected grpc health status: expected %s, got %s",
-				c.config.Spec.ExpectedHealthStatus,
+				spec.ExpectedHealthStatus,
 				got,
 			),
 		)

internal/checker/http/request.go

@@ -18,9 +18,14 @@ func (c *Checker) request(ctx context.Context) error {
 	ctx, cancel := context.WithTimeout(ctx, c.config.Timeout)
 	defer cancel()
 
+	spec, err := config.ResolveHTTPSpecEnv(c.config.Spec)
+	if err != nil {
+		return e.NewError(e.ErrInternal, fmt.Sprintf("could not resolve http spec: %v", err))
+	}
+
 	cl := &h.Client{
 		CheckRedirect: func(req *h.Request, via []*h.Request) error {
-			if !c.config.Spec.FollowRedirects {
+			if !spec.FollowRedirects {
 				return h.ErrUseLastResponse
 			}
 
@@ -32,12 +37,12 @@ func (c *Checker) request(ctx context.Context) error {
 		},
 	}
 
-	req, err := makeRequest(ctx, c.config)
+	req, err := makeRequest(ctx, spec)
 	if err != nil {
 		return fmt.Errorf("could not make request: %w", err)
 	}
 
-	for k, v := range c.config.Spec.Headers {
+	for k, v := range spec.Headers {
 		req.Header.Set(k, v)
 	}
 
@@ -50,56 +55,56 @@ func (c *Checker) request(ctx context.Context) error {
 		_ = res.Body.Close()
 	}()
 
-	if err = checkCode(res.StatusCode, c.config.Spec.SuccessCodes); err != nil {
+	if err = checkCode(res.StatusCode, spec.SuccessCodes); err != nil {
 		return fmt.Errorf("could not check response code: %w", err)
 	}
 
-	if err = checkBody(c.config.Spec.ExpectedBody, res.Body); err != nil {
+	if err = checkBody(spec.ExpectedBody, res.Body); err != nil {
 		return fmt.Errorf("could not parse response body: %w", err)
 	}
 
 	return nil
 }
 
-func makeRequest(ctx context.Context, config Alias) (*h.Request, error) {
+func makeRequest(ctx context.Context, spec config.HttpSpec) (*h.Request, error) {
 	var req *h.Request
 
-	switch config.Spec.Method {
+	switch spec.Method {
 	case "GET":
-		fullUrl := config.Spec.URL
-		if len(config.Spec.Payload) > 0 {
+		fullUrl := spec.URL
+		if len(spec.Payload) > 0 {
 			params := url.Values{}
-			for k, v := range config.Spec.Payload {
+			for k, v := range spec.Payload {
 				params.Add(k, fmt.Sprint(v))
 			}
 
 			fullUrl = fmt.Sprintf("%s?%s", fullUrl, params.Encode())
 		}
 
-		rq, err := h.NewRequestWithContext(ctx, config.Spec.Method, fullUrl, nil)
+		rq, err := h.NewRequestWithContext(ctx, spec.Method, fullUrl, nil)
 		if err != nil {
 			return nil, fmt.Errorf("could not send request: %w", err)
 		}
 		req = rq
 	case "POST":
 		var payload io.Reader
-		if len(config.Spec.Payload) > 0 {
-			data, err := json.Marshal(config.Spec.Payload)
+		if len(spec.Payload) > 0 {
+			data, err := json.Marshal(spec.Payload)
 			if err != nil {
 				return nil, fmt.Errorf("could not marshal data: %w", err)
 			}
 			payload = bytes.NewReader(data)
 		}
 
-		rq, err := h.NewRequestWithContext(ctx, config.Spec.Method, config.Spec.URL, payload)
+		rq, err := h.NewRequestWithContext(ctx, spec.Method, spec.URL, payload)
 		if err != nil {
 			return nil, fmt.Errorf("could not send request: %w", err)
 		}
 		req = rq
 	default:
 		return nil, e.NewError(
 			e.ErrInternal,
-			fmt.Sprintf("unsupported method: %s", config.Spec.Method),
+			fmt.Sprintf("unsupported method: %s", spec.Method),
 		)
 	}
 

internal/checker/tcp/request.go

@@ -16,7 +16,12 @@ func (c *Checker) request(ctx context.Context) error {
 	ctx, cancel := context.WithTimeout(ctx, c.config.Timeout)
 	defer cancel()
 
-	address := net.JoinHostPort(c.config.Spec.Host, fmt.Sprint(c.config.Spec.Port))
+	spec, err := config.ResolveTCPSpecEnv(c.config.Spec)
+	if err != nil {
+		return e.NewError(e.ErrInternal, fmt.Sprintf("could not resolve tcp spec: %v", err))
+	}
+
+	address := net.JoinHostPort(spec.Host, fmt.Sprint(spec.Port))
 	dialer := &net.Dialer{}
 
 	conn, err := dialer.DialContext(ctx, "tcp", address)
@@ -34,13 +39,13 @@ func (c *Checker) request(ctx context.Context) error {
 		}
 	}
 
-	if c.config.Spec.Send != "" {
-		if _, err = io.WriteString(conn, c.config.Spec.Send); err != nil {
+	if spec.Send != "" {
+		if _, err = io.WriteString(conn, spec.Send); err != nil {
 			return fmt.Errorf("could not write tcp payload: %w", err)
 		}
 	}
 
-	if err = checkResponse(conn, c.config.Spec.Expect); err != nil {
+	if err = checkResponse(conn, spec.Expect); err != nil {
 		return err
 	}
 

internal/checker/tls/request.go

@@ -7,17 +7,23 @@ import (
 	"net"
 	"time"
 
+	"github.com/pixel365/pulse/internal/config"
 	"github.com/pixel365/pulse/internal/e"
 )
 
 func (c *Checker) request(ctx context.Context) error {
 	ctx, cancel := context.WithTimeout(ctx, c.config.Timeout)
 	defer cancel()
 
-	address := net.JoinHostPort(c.config.Spec.Host, fmt.Sprint(c.config.Spec.Port))
-	serverName := c.config.Spec.ServerName
+	spec, err := config.ResolveTLSSpecEnv(c.config.Spec)
+	if err != nil {
+		return e.NewError(e.ErrInternal, fmt.Sprintf("could not resolve tls spec: %v", err))
+	}
+
+	address := net.JoinHostPort(spec.Host, fmt.Sprint(spec.Port))
+	serverName := spec.ServerName
 	if serverName == "" {
-		serverName = c.config.Spec.Host
+		serverName = spec.Host
 	}
 
 	dialer := &ctls.Dialer{
@@ -52,13 +58,13 @@ func (c *Checker) request(ctx context.Context) error {
 
 	leaf := state.PeerCertificates[0]
 	validityLeft := time.Until(leaf.NotAfter)
-	if validityLeft < c.config.Spec.MinValidity {
+	if validityLeft < spec.MinValidity {
 		return e.NewError(
 			e.ErrConstraint,
 			fmt.Sprintf(
 				"certificate validity %s is below required minimum %s",
 				validityLeft.Truncate(time.Second),
-				c.config.Spec.MinValidity,
+				spec.MinValidity,
 			),
 		)
 	}

internal/config/config.go

@@ -171,10 +171,6 @@ func decodeTypedCheck[T any](raw Check) (TypedCheck[T], error) {
 		return typedCheck, fmt.Errorf("failed to unmarshal check spec: %w", err)
 	}
 
-	if err = validateStruct(typedCheck); err != nil {
-		return typedCheck, fmt.Errorf("failed to validate check spec: %w", err)
-	}
-
 	return typedCheck, nil
 }
 
@@ -188,6 +184,10 @@ func appendTypedCheck[T any](dst map[string]TypedCheck[T], raw Check) error {
 		return err
 	}
 
+	if err = validateStruct(&typedCheck); err != nil {
+		return fmt.Errorf("failed to validate check spec: %w", err)
+	}
+
 	dst[raw.ID] = typedCheck
 
 	return nil