CL-Softwares
/
telegraf
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore(secretstores.os): Unify config (#12791)

This commit is contained in:
Joshua Powers 2023-03-07 01:39:17 -07:00 committed by GitHub
parent 4747e7ba10
commit 2b6d9f22ad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 63 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
plugins/secretstores/os/README.md
View File

@ -32,6 +32,55 @@ Telegraf. I.e. when set to `true`, the secret will be read from the secret-store
on every access by a plugin. If set to `false`, all secrets in the secret store on every access by a plugin. If set to `false`, all secrets in the secret store
are assumed to be static and are only read once at startup of Telegraf. are assumed to be static and are only read once at startup of Telegraf.
```toml @sample.conf
# Operating System native secret-store
[[secretstores.os]]
## Unique identifier for the secret-store.
## This id can later be used in plugins to reference the secrets
## in this secret-store via @{<id>:<secret_key>} (mandatory)
id = "secretstore"
## Keyring Name & Collection
## * Linux: keyring name used for the secrets, collection is unused
## * macOS: keyring specifies the macOS' Keychain name and collection is an
## optional Keychain service name
## * Windows: keys follow a fixed pattern in the form
## `<keyring>:<collection>:<key>`. Please keep this in mind when creating
## secrets with the Windows credential tool.
# keyring = "telegraf"
# collection = ""
## macOS Keychain password
## If no password is specified here, Telegraf will prompt for it at startup
## time.
# password = ""
## Allow dynamic secrets that are updated during runtime of telegraf
# dynamic = false
```
### Linux
On Linux the kernel keyring in the `user` scope is used to store the
secrets. The `collection` setting is ignored on Linux.
### MacOS
On MacOS the Keychain implementation is used. Here the `keyring` parameter
corresponds to the Keychain name and the `collection` to the optional Keychain
service name. Additionally a password is required to access the Keychain.
The `password` itself is also a secret and can be a string, an environment
variable or a reference to a secret stored in another secret-store.
If `password` is omitted, you will be prompted for the password on startup.
### Windows
On Windows you can use the Credential Manager Control panel or
[Telegraf](../../../cmd/telegraf/README.md) to manage your secrets.
Please use _generic credentials_ and respect the special
`<keyring>:<collection>:<key>` format of the secret key. The
secret value needs to be stored in the `Password` field.
### Docker ### Docker
Access to the kernel keyring is __disabled by default__ in docker containers Access to the kernel keyring is __disabled by default__ in docker containers
@ -54,78 +103,3 @@ capability Telegraf will panic. Users will need to start a container with the
See [github.com/awnumar/memguard#144][memguard-issue] for more information. See [github.com/awnumar/memguard#144][memguard-issue] for more information.
[memguard-issue]: https://github.com/awnumar/memguard/issues/144 [memguard-issue]: https://github.com/awnumar/memguard/issues/144
### Windows
```toml @sample_windows.conf
# Operating System native secret-store
[[secretstores.os]]
## Unique identifier for the secret-store.
## This id can later be used in plugins to reference the secrets
## in this secret-store via @{<id>:<secret_key>} (mandatory)
id = "secretstore"
## Keyring of the secrets
## In Windows, keys follow a fixed pattern in the form `<keyring>:<collection>:<key>`. Please keep this in mind
## when creating secrets with the Windows credential tool.
# keyring = "telegraf"
# collection = ""
## Allow dynamic secrets that are updated during runtime of telegraf
# dynamic = false
```
On Windows you can use the Credential Manager Control panel or
[Telegraf](../../../cmd/telegraf/README.md) to manage your secrets.
Please use _generic credentials_ and respect the special
`<keyring>:<collection>:<key>` format of the secret key. The
secret value needs to be stored in the `Password` field.
### Linux
```toml @sample_linux.conf
# Operating System native secret-store
[[secretstores.os]]
## Unique identifier for the secret-store.
## This id can later be used in plugins to reference the secrets
## in this secret-store via @{<id>:<secret_key>} (mandatory)
id = "secretstore"
## Keyring name used for the secrets
# keyring = "telegraf"
## Allow dynamic secrets that are updated during runtime of telegraf
# dynamic = false
```
On Linux the kernel keyring in the `user` scope is used to store the
secrets. The `collection` setting is ignored on Linux.
### MacOS
```toml @sample_darwin.conf
# Operating System native secret-store
[[secretstores.os]]
## Unique identifier for the secret-store.
## This id can later be used in plugins to reference the secrets
## in this secret-store via @{<id>:<secret_key>} (mandatory)
id = "secretstore"
## MacOS' Keychain name and service name
# keyring = "telegraf"
# collection = ""
## MacOS' Keychain password
## If no password is specified here, Telegraf will prompt for it at startup time.
# password = ""
## Allow dynamic secrets that are updated during runtime of telegraf
# dynamic = false
```
On MacOS the Keychain implementation is used. Here the `keyring` parameter
corresponds to the Keychain name and the `collection` to the optional Keychain
service name. Additionally a password is required to access the Keychain.
The `password` itself is also a secret and can be a string, an environment
variable or a reference to a secret stored in another secret-store.
If `password` is omitted, you will be prompted for the password on startup.

4
plugins/secretstores/os/os.go
View File

@ -4,6 +4,7 @@
package os package os
import ( import (
_ "embed"
"errors" "errors"
"fmt" "fmt"
@ -14,6 +15,9 @@ import (
"github.com/influxdata/telegraf/plugins/secretstores" "github.com/influxdata/telegraf/plugins/secretstores"
) )
//go:embed sample.conf
var sampleConfig string
type OS struct { type OS struct {
ID string `toml:"id"` ID string `toml:"id"`
Keyring string `toml:"keyring"` Keyring string `toml:"keyring"`

4
plugins/secretstores/os/os_darwin.go
View File

@ -3,7 +3,6 @@
package os package os
import ( import (
_ "embed"
"fmt" "fmt"
"github.com/99designs/keyring" "github.com/99designs/keyring"
@ -11,9 +10,6 @@ import (
"github.com/influxdata/telegraf/config" "github.com/influxdata/telegraf/config"
) )
//go:embed sample_darwin.conf
var sampleConfig string
func (o *OS) createKeyringConfig() (keyring.Config, error) { func (o *OS) createKeyringConfig() (keyring.Config, error) {
passwd, err := o.Password.Get() passwd, err := o.Password.Get()
if err != nil { if err != nil {

5
plugins/secretstores/os/os_linux.go
View File

@ -3,14 +3,9 @@
package os package os
import ( import (
_ "embed"
"github.com/99designs/keyring" "github.com/99designs/keyring"
) )
//go:embed sample_linux.conf
var sampleConfig string
func (o *OS) createKeyringConfig() (keyring.Config, error) { func (o *OS) createKeyringConfig() (keyring.Config, error) {
if o.Keyring == "" { if o.Keyring == "" {
o.Keyring = "telegraf" o.Keyring = "telegraf"

5
plugins/secretstores/os/os_windows.go
View File

@ -3,14 +3,9 @@
package os package os
import ( import (
_ "embed"
"github.com/99designs/keyring" "github.com/99designs/keyring"
) )
//go:embed sample_windows.conf
var sampleConfig string
func (o *OS) createKeyringConfig() (keyring.Config, error) { func (o *OS) createKeyringConfig() (keyring.Config, error) {
return keyring.Config{ return keyring.Config{
ServiceName: o.Keyring, ServiceName: o.Keyring,

13
plugins/secretstores/os/sample_darwin.conf → plugins/secretstores/os/sample.conf
View File

@ -5,12 +5,19 @@
## in this secret-store via @{<id>:<secret_key>} (mandatory) ## in this secret-store via @{<id>:<secret_key>} (mandatory)
id = "secretstore" id = "secretstore"
## MacOS' Keychain name and service name ## Keyring Name & Collection
## * Linux: keyring name used for the secrets, collection is unused
## * macOS: keyring specifies the macOS' Keychain name and collection is an
## optional Keychain service name
## * Windows: keys follow a fixed pattern in the form
## `<keyring>:<collection>:<key>`. Please keep this in mind when creating
## secrets with the Windows credential tool.
# keyring = "telegraf" # keyring = "telegraf"
# collection = "" # collection = ""
## MacOS' Keychain password ## macOS Keychain password
## If no password is specified here, Telegraf will prompt for it at startup time. ## If no password is specified here, Telegraf will prompt for it at startup
## time.
# password = "" # password = ""
## Allow dynamic secrets that are updated during runtime of telegraf ## Allow dynamic secrets that are updated during runtime of telegraf

12
plugins/secretstores/os/sample_linux.conf
View File

@ -1,12 +0,0 @@
# Operating System native secret-store
[[secretstores.os]]
## Unique identifier for the secret-store.
## This id can later be used in plugins to reference the secrets
## in this secret-store via @{<id>:<secret_key>} (mandatory)
id = "secretstore"
## Keyring name used for the secrets
# keyring = "telegraf"
## Allow dynamic secrets that are updated during runtime of telegraf
# dynamic = false

15
plugins/secretstores/os/sample_windows.conf
View File

@ -1,15 +0,0 @@
# Operating System native secret-store
[[secretstores.os]]
## Unique identifier for the secret-store.
## This id can later be used in plugins to reference the secrets
## in this secret-store via @{<id>:<secret_key>} (mandatory)
id = "secretstore"
## Keyring of the secrets
## In Windows, keys follow a fixed pattern in the form `<keyring>:<collection>:<key>`. Please keep this in mind
## when creating secrets with the Windows credential tool.
# keyring = "telegraf"
# collection = ""
## Allow dynamic secrets that are updated during runtime of telegraf
# dynamic = false