add load_secrets as an explicit stage

during load_config

rather than applying directly to defaults, which should be left static

tests/test_configurer.py

@@ -1,7 +1,9 @@
 """
-Test
+Test configurer
 """
 
+import os
+
 from tljh import configurer
 
 
@@ -161,7 +163,7 @@ def test_auth_github():
     assert c.GitHubOAuthenticator.client_secret == 'something-else'
 
 
-def test_auth_api_default():
+def test_traefik_api_default():
     """
     Test default traefik api authentication settings with no overrides
     """
@@ -171,15 +173,28 @@ def test_auth_api_default():
     assert len(c.TraefikTomlProxy.traefik_api_password) == 0
 
 
-def test_set_auth_api():
+def test_set_traefik_api():
     """
     Test setting per traefik api credentials
     """
     c = apply_mock_config({
-                            'auth_api': {
-                                        'username': 'some_user',
-                                        'password': '1234'
-                            }
+        'traefik_api': {
+            'username': 'some_user',
+            'password': '1234'
+        }
     })
     assert c.TraefikTomlProxy.traefik_api_username == 'some_user'
     assert c.TraefikTomlProxy.traefik_api_password == '1234'
+
+
+def test_load_secrets(tljh_dir):
+    """
+    Test loading secret files
+    """
+    with open(os.path.join(tljh_dir, 'state', 'traefik-api.secret'), 'w') as f:
+        f.write("traefik-password")
+
+    tljh_config = configurer.load_config()
+    assert tljh_config['traefik_api']['password'] == "traefik-password"
+    c = apply_mock_config(tljh_config)
+    assert c.TraefikTomlProxy.traefik_api_password == "traefik-password"

tljh/configurer.py

@@ -68,8 +68,10 @@ def load_config(config_file=CONFIG_FILE):
     else:
         config_overrides = {}
 
-    generate_traefik_api_credentials()
-    return _merge_dictionaries(dict(default), config_overrides)
+    secrets = load_secrets()
+    config = _merge_dictionaries(dict(default), secrets)
+    config = _merge_dictionaries(config, config_overrides)
+    return config
 
 
 def apply_config(config_overrides, c):
@@ -93,12 +95,29 @@ def set_if_not_none(parent, key, value):
     if value is not None:
         setattr(parent, key, value)
 
-def generate_traefik_api_credentials():
+
+def load_traefik_api_credentials():
+    """Load traefik api secret from a file"""
     proxy_secret_path = os.path.join(STATE_DIR, 'traefik-api.secret')
+    if not os.path.exists(proxy_secret_path):
+        return {}
     with open(proxy_secret_path,'r') as f:
         password = f.read()
+    return {
+        'traefik_api': {
+            'password': password,
+        }
+    }
 
-    default['traefik_api']['password'] = password
+
+def load_secrets():
+    """Load any secret values stored on disk
+
+    Returns dict to be merged into config during load
+    """
+    config = {}
+    config = _merge_dictionaries(config, load_traefik_api_credentials())
+    return config
 
 
 def update_auth(c, config):