This release lets the exporter source its API key secret from a file instead of a static flag, so it can run against OIDC API keys whose secret is a rotating JWT. The exporter re-reads the file on every token refresh, which means projected Kubernetes service-account tokens are picked up automatically without a restart.
What's included
--api-key-secret-fileflag (SPACELIFT_PROMEX_API_KEY_SECRET_FILE) - point the exporter at a file holding the API key secret rather than passing it inline. The file is re-read on every token refresh, so rotating secrets keep working without bouncing the process. The path is validated once at startup, so a missing or empty file fails fast instead of on the first refresh.- Mutually exclusive with
--api-key-secret- exactly one of the two is required. Existing setups that pass--api-key-secret(orSPACELIFT_PROMEX_API_KEY_SECRET) are unaffected.
Tip
This is the piece you want for OIDC API keys (key ID of the form oidc::<issuer>::<key-id>), where the "secret" is a JWT minted by your identity provider. On Kubernetes, point it at the projected service-account token:
--api-key-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/tokenAlso includes routine dependency bumps: urfave/cli v3.9.1 -> v3.10.0 (#72) and actions/checkout 6 -> 7 in CI (#71).
New Contributors
Full Changelog: v0.10.0...v0.11.0