Code-Memo

Configuration and secrets

Config sources (common order)

1. Defaults (safe, minimal)
2. Config file (optional)
3. Environment variables (deploy-time)
4. CLI flags (highest precedence)

Environment variables

• Great for container/Kubernetes workloads
• Prefer explicit prefixes: MYAPP_TIMEOUT, MYAPP_LOG_LEVEL

Secrets

Never bake secrets into binaries or container images.

Use:

• Kubernetes Secrets (plus external secret stores)
• AWS Secrets Manager / SSM Parameter Store
• Vault / cloud secret managers

Rotation

• Support reload or restart-friendly design
• Keep client code tolerant of credential refresh (token renewals)

Validation

Fail fast on startup:

• missing required values
• invalid formats (URLs, durations)
• out-of-range numbers

Config parsing patterns

• flag for CLI
• os.Getenv for env
• encoding/json / TOML/YAML libs for files
• Keep parsing separate from business logic