diff --git a/plugins/secretstores/os/README.md b/plugins/secretstores/os/README.md index c7a2e1a96..659e0d6c7 100644 --- a/plugins/secretstores/os/README.md +++ b/plugins/secretstores/os/README.md @@ -32,6 +32,55 @@ Telegraf. I.e. when set to `true`, the secret will be read from the secret-store on every access by a plugin. If set to `false`, all secrets in the secret store are assumed to be static and are only read once at startup of Telegraf. +```toml @sample.conf +# Operating System native secret-store +[[secretstores.os]] + ## Unique identifier for the secret-store. + ## This id can later be used in plugins to reference the secrets + ## in this secret-store via @{:} (mandatory) + id = "secretstore" + + ## Keyring Name & Collection + ## * Linux: keyring name used for the secrets, collection is unused + ## * macOS: keyring specifies the macOS' Keychain name and collection is an + ## optional Keychain service name + ## * Windows: keys follow a fixed pattern in the form + ## `::`. Please keep this in mind when creating + ## secrets with the Windows credential tool. + # keyring = "telegraf" + # collection = "" + + ## macOS Keychain password + ## If no password is specified here, Telegraf will prompt for it at startup + ## time. + # password = "" + + ## Allow dynamic secrets that are updated during runtime of telegraf + # dynamic = false +``` + +### Linux + +On Linux the kernel keyring in the `user` scope is used to store the +secrets. The `collection` setting is ignored on Linux. + +### MacOS + +On MacOS the Keychain implementation is used. Here the `keyring` parameter +corresponds to the Keychain name and the `collection` to the optional Keychain +service name. Additionally a password is required to access the Keychain. +The `password` itself is also a secret and can be a string, an environment +variable or a reference to a secret stored in another secret-store. +If `password` is omitted, you will be prompted for the password on startup. + +### Windows + +On Windows you can use the Credential Manager Control panel or +[Telegraf](../../../cmd/telegraf/README.md) to manage your secrets. +Please use _generic credentials_ and respect the special +`::` format of the secret key. The +secret value needs to be stored in the `Password` field. + ### Docker Access to the kernel keyring is __disabled by default__ in docker containers @@ -54,78 +103,3 @@ capability Telegraf will panic. Users will need to start a container with the See [github.com/awnumar/memguard#144][memguard-issue] for more information. [memguard-issue]: https://github.com/awnumar/memguard/issues/144 - -### Windows - -```toml @sample_windows.conf -# Operating System native secret-store -[[secretstores.os]] - ## Unique identifier for the secret-store. - ## This id can later be used in plugins to reference the secrets - ## in this secret-store via @{:} (mandatory) - id = "secretstore" - - ## Keyring of the secrets - ## In Windows, keys follow a fixed pattern in the form `::`. Please keep this in mind - ## when creating secrets with the Windows credential tool. - # keyring = "telegraf" - # collection = "" - - ## Allow dynamic secrets that are updated during runtime of telegraf - # dynamic = false -``` - -On Windows you can use the Credential Manager Control panel or -[Telegraf](../../../cmd/telegraf/README.md) to manage your secrets. -Please use _generic credentials_ and respect the special -`::` format of the secret key. The -secret value needs to be stored in the `Password` field. - -### Linux - -```toml @sample_linux.conf -# Operating System native secret-store -[[secretstores.os]] - ## Unique identifier for the secret-store. - ## This id can later be used in plugins to reference the secrets - ## in this secret-store via @{:} (mandatory) - id = "secretstore" - - ## Keyring name used for the secrets - # keyring = "telegraf" - - ## Allow dynamic secrets that are updated during runtime of telegraf - # dynamic = false -``` - -On Linux the kernel keyring in the `user` scope is used to store the -secrets. The `collection` setting is ignored on Linux. - -### MacOS - -```toml @sample_darwin.conf -# Operating System native secret-store -[[secretstores.os]] - ## Unique identifier for the secret-store. - ## This id can later be used in plugins to reference the secrets - ## in this secret-store via @{:} (mandatory) - id = "secretstore" - - ## MacOS' Keychain name and service name - # keyring = "telegraf" - # collection = "" - - ## MacOS' Keychain password - ## If no password is specified here, Telegraf will prompt for it at startup time. - # password = "" - - ## Allow dynamic secrets that are updated during runtime of telegraf - # dynamic = false -``` - -On MacOS the Keychain implementation is used. Here the `keyring` parameter -corresponds to the Keychain name and the `collection` to the optional Keychain -service name. Additionally a password is required to access the Keychain. -The `password` itself is also a secret and can be a string, an environment -variable or a reference to a secret stored in another secret-store. -If `password` is omitted, you will be prompted for the password on startup. diff --git a/plugins/secretstores/os/os.go b/plugins/secretstores/os/os.go index ad89b2404..d4c25da5f 100644 --- a/plugins/secretstores/os/os.go +++ b/plugins/secretstores/os/os.go @@ -4,6 +4,7 @@ package os import ( + _ "embed" "errors" "fmt" @@ -14,6 +15,9 @@ import ( "github.com/influxdata/telegraf/plugins/secretstores" ) +//go:embed sample.conf +var sampleConfig string + type OS struct { ID string `toml:"id"` Keyring string `toml:"keyring"` diff --git a/plugins/secretstores/os/os_darwin.go b/plugins/secretstores/os/os_darwin.go index 1357ebd5b..8aca279ad 100644 --- a/plugins/secretstores/os/os_darwin.go +++ b/plugins/secretstores/os/os_darwin.go @@ -3,7 +3,6 @@ package os import ( - _ "embed" "fmt" "github.com/99designs/keyring" @@ -11,9 +10,6 @@ import ( "github.com/influxdata/telegraf/config" ) -//go:embed sample_darwin.conf -var sampleConfig string - func (o *OS) createKeyringConfig() (keyring.Config, error) { passwd, err := o.Password.Get() if err != nil { diff --git a/plugins/secretstores/os/os_linux.go b/plugins/secretstores/os/os_linux.go index b156d00e7..12a06026c 100644 --- a/plugins/secretstores/os/os_linux.go +++ b/plugins/secretstores/os/os_linux.go @@ -3,14 +3,9 @@ package os import ( - _ "embed" - "github.com/99designs/keyring" ) -//go:embed sample_linux.conf -var sampleConfig string - func (o *OS) createKeyringConfig() (keyring.Config, error) { if o.Keyring == "" { o.Keyring = "telegraf" diff --git a/plugins/secretstores/os/os_windows.go b/plugins/secretstores/os/os_windows.go index f00e92d06..6f452ee6b 100644 --- a/plugins/secretstores/os/os_windows.go +++ b/plugins/secretstores/os/os_windows.go @@ -3,14 +3,9 @@ package os import ( - _ "embed" - "github.com/99designs/keyring" ) -//go:embed sample_windows.conf -var sampleConfig string - func (o *OS) createKeyringConfig() (keyring.Config, error) { return keyring.Config{ ServiceName: o.Keyring, diff --git a/plugins/secretstores/os/sample_darwin.conf b/plugins/secretstores/os/sample.conf similarity index 50% rename from plugins/secretstores/os/sample_darwin.conf rename to plugins/secretstores/os/sample.conf index d91df3437..2e3ae2ab5 100644 --- a/plugins/secretstores/os/sample_darwin.conf +++ b/plugins/secretstores/os/sample.conf @@ -5,12 +5,19 @@ ## in this secret-store via @{:} (mandatory) id = "secretstore" - ## MacOS' Keychain name and service name + ## Keyring Name & Collection + ## * Linux: keyring name used for the secrets, collection is unused + ## * macOS: keyring specifies the macOS' Keychain name and collection is an + ## optional Keychain service name + ## * Windows: keys follow a fixed pattern in the form + ## `::`. Please keep this in mind when creating + ## secrets with the Windows credential tool. # keyring = "telegraf" # collection = "" - ## MacOS' Keychain password - ## If no password is specified here, Telegraf will prompt for it at startup time. + ## macOS Keychain password + ## If no password is specified here, Telegraf will prompt for it at startup + ## time. # password = "" ## Allow dynamic secrets that are updated during runtime of telegraf diff --git a/plugins/secretstores/os/sample_linux.conf b/plugins/secretstores/os/sample_linux.conf deleted file mode 100644 index 87d993d0f..000000000 --- a/plugins/secretstores/os/sample_linux.conf +++ /dev/null @@ -1,12 +0,0 @@ -# Operating System native secret-store -[[secretstores.os]] - ## Unique identifier for the secret-store. - ## This id can later be used in plugins to reference the secrets - ## in this secret-store via @{:} (mandatory) - id = "secretstore" - - ## Keyring name used for the secrets - # keyring = "telegraf" - - ## Allow dynamic secrets that are updated during runtime of telegraf - # dynamic = false diff --git a/plugins/secretstores/os/sample_windows.conf b/plugins/secretstores/os/sample_windows.conf deleted file mode 100644 index def9b074e..000000000 --- a/plugins/secretstores/os/sample_windows.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Operating System native secret-store -[[secretstores.os]] - ## Unique identifier for the secret-store. - ## This id can later be used in plugins to reference the secrets - ## in this secret-store via @{:} (mandatory) - id = "secretstore" - - ## Keyring of the secrets - ## In Windows, keys follow a fixed pattern in the form `::`. Please keep this in mind - ## when creating secrets with the Windows credential tool. - # keyring = "telegraf" - # collection = "" - - ## Allow dynamic secrets that are updated during runtime of telegraf - # dynamic = false