chore(secretstores.os): Unify config (#12791)

2023-03-07 01:39:17 -07:00 · 2023-03-07 01:39:17 -07:00 · 2b6d9f22ad
parent 4747e7ba10
commit 2b6d9f22ad
8 changed files with 63 additions and 119 deletions
--- a/plugins/secretstores/os/README.md
+++ b/plugins/secretstores/os/README.md
@ -32,6 +32,55 @@ Telegraf. I.e. when set to `true`, the secret will be read from the secret-store
 on every access by a plugin. If set to `false`, all secrets in the secret store
 are assumed to be static and are only read once at startup of Telegraf.

+```toml @sample.conf
+# Operating System native secret-store
+[[secretstores.os]]
+  ## Unique identifier for the secret-store.
+  ## This id can later be used in plugins to reference the secrets
+  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
+  id = "secretstore"
+
+  ## Keyring Name & Collection
+  ## * Linux: keyring name used for the secrets, collection is unused
+  ## * macOS: keyring specifies the macOS' Keychain name and collection is an
+  ##     optional Keychain service name
+  ## * Windows: keys follow a fixed pattern in the form
+  ##     `<keyring>:<collection>:<key>`. Please keep this in mind when creating
+  ##     secrets with the Windows credential tool.
+  # keyring = "telegraf"
+  # collection = ""
+
+  ## macOS Keychain password
+  ## If no password is specified here, Telegraf will prompt for it at startup
+  ## time.
+  # password = ""
+
+  ## Allow dynamic secrets that are updated during runtime of telegraf
+  # dynamic = false
+```
+
+### Linux
+
+On Linux the kernel keyring in the `user` scope is used to store the
+secrets. The `collection` setting is ignored on Linux.
+
+### MacOS
+
+On MacOS the Keychain implementation is used. Here the `keyring` parameter
+corresponds to the Keychain name and the `collection` to the optional Keychain
+service name. Additionally a password is required to access the Keychain.
+The `password` itself is also a secret and can be a string, an environment
+variable or a reference to a secret stored in another secret-store.
+If `password` is omitted, you will be prompted for the password on startup.
+
+### Windows
+
+On Windows you can use the Credential Manager Control panel or
+[Telegraf](../../../cmd/telegraf/README.md) to manage your secrets.
+Please use _generic credentials_ and respect the special
+`<keyring>:<collection>:<key>` format of the secret key. The
+secret value needs to be stored in the `Password` field.
+
 ### Docker

 Access to the kernel keyring is __disabled by default__ in docker containers
@ -54,78 +103,3 @@ capability Telegraf will panic. Users will need to start a container with the
 See [github.com/awnumar/memguard#144][memguard-issue] for more information.

 [memguard-issue]: https://github.com/awnumar/memguard/issues/144
-
-### Windows
-
-```toml @sample_windows.conf
-# Operating System native secret-store
-[[secretstores.os]]
-  ## Unique identifier for the secret-store.
-  ## This id can later be used in plugins to reference the secrets
-  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
-  id = "secretstore"
-
-  ## Keyring of the secrets
-  ## In Windows, keys follow a fixed pattern in the form `<keyring>:<collection>:<key>`. Please keep this in mind
-  ## when creating secrets with the Windows credential tool.
-  # keyring = "telegraf"
-  # collection = ""
-
-  ## Allow dynamic secrets that are updated during runtime of telegraf
-  # dynamic = false
-```
-
-On Windows you can use the Credential Manager Control panel or
-[Telegraf](../../../cmd/telegraf/README.md) to manage your secrets.
-Please use _generic credentials_ and respect the special
-`<keyring>:<collection>:<key>` format of the secret key. The
-secret value needs to be stored in the `Password` field.
-
-### Linux
-
-```toml @sample_linux.conf
-# Operating System native secret-store
-[[secretstores.os]]
-  ## Unique identifier for the secret-store.
-  ## This id can later be used in plugins to reference the secrets
-  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
-  id = "secretstore"
-
-  ## Keyring name used for the secrets
-  # keyring = "telegraf"
-
-  ## Allow dynamic secrets that are updated during runtime of telegraf
-  # dynamic = false
-```
-
-On Linux the kernel keyring in the `user` scope is used to store the
-secrets. The `collection` setting is ignored on Linux.
-
-### MacOS
-
-```toml @sample_darwin.conf
-# Operating System native secret-store
-[[secretstores.os]]
-  ## Unique identifier for the secret-store.
-  ## This id can later be used in plugins to reference the secrets
-  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
-  id = "secretstore"
-
-  ## MacOS' Keychain name and service name
-  # keyring = "telegraf"
-  # collection = ""
-
-  ## MacOS' Keychain password
-  ## If no password is specified here, Telegraf will prompt for it at startup time.
-  # password = ""
-
-  ## Allow dynamic secrets that are updated during runtime of telegraf
-  # dynamic = false
-```
-
-On MacOS the Keychain implementation is used. Here the `keyring` parameter
-corresponds to the Keychain name and the `collection` to the optional Keychain
-service name. Additionally a password is required to access the Keychain.
-The `password` itself is also a secret and can be a string, an environment
-variable or a reference to a secret stored in another secret-store.
-If `password` is omitted, you will be prompted for the password on startup.
--- a/plugins/secretstores/os/os.go
+++ b/plugins/secretstores/os/os.go
@ -4,6 +4,7 @@
 package os

 import (
+	_ "embed"
 	"errors"
 	"fmt"

@ -14,6 +15,9 @@ import (
 	"github.com/influxdata/telegraf/plugins/secretstores"
 )

+//go:embed sample.conf
+var sampleConfig string
+
 type OS struct {
 	ID         string        `toml:"id"`
 	Keyring    string        `toml:"keyring"`
--- a/plugins/secretstores/os/os_darwin.go
+++ b/plugins/secretstores/os/os_darwin.go
@ -3,7 +3,6 @@
 package os

 import (
-	_ "embed"
 	"fmt"

 	"github.com/99designs/keyring"
@ -11,9 +10,6 @@ import (
 	"github.com/influxdata/telegraf/config"
 )

-//go:embed sample_darwin.conf
-var sampleConfig string
-
 func (o *OS) createKeyringConfig() (keyring.Config, error) {
 	passwd, err := o.Password.Get()
 	if err != nil {
--- a/plugins/secretstores/os/os_linux.go
+++ b/plugins/secretstores/os/os_linux.go
@ -3,14 +3,9 @@
 package os

 import (
-	_ "embed"
-
 	"github.com/99designs/keyring"
 )

-//go:embed sample_linux.conf
-var sampleConfig string
-
 func (o *OS) createKeyringConfig() (keyring.Config, error) {
 	if o.Keyring == "" {
 		o.Keyring = "telegraf"
--- a/plugins/secretstores/os/os_windows.go
+++ b/plugins/secretstores/os/os_windows.go
@ -3,14 +3,9 @@
 package os

 import (
-	_ "embed"
-
 	"github.com/99designs/keyring"
 )

-//go:embed sample_windows.conf
-var sampleConfig string
-
 func (o *OS) createKeyringConfig() (keyring.Config, error) {
 	return keyring.Config{
 		ServiceName:     o.Keyring,
--- a/plugins/secretstores/os/sample_darwin.conf
+++ b/plugins/secretstores/os/sample_darwin.conf
@ -5,12 +5,19 @@
  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
  id = "secretstore"

-  ## MacOS' Keychain name and service name
+  ## Keyring Name & Collection
+  ## * Linux: keyring name used for the secrets, collection is unused
+  ## * macOS: keyring specifies the macOS' Keychain name and collection is an
+  ##     optional Keychain service name
+  ## * Windows: keys follow a fixed pattern in the form
+  ##     `<keyring>:<collection>:<key>`. Please keep this in mind when creating
+  ##     secrets with the Windows credential tool.
  # keyring = "telegraf"
  # collection = ""

-  ## MacOS' Keychain password
-  ## If no password is specified here, Telegraf will prompt for it at startup time.
+  ## macOS Keychain password
+  ## If no password is specified here, Telegraf will prompt for it at startup
+  ## time.
  # password = ""

  ## Allow dynamic secrets that are updated during runtime of telegraf
--- a/plugins/secretstores/os/sample_linux.conf
+++ b/plugins/secretstores/os/sample_linux.conf
@ -1,12 +0,0 @@
-# Operating System native secret-store
-[[secretstores.os]]
-  ## Unique identifier for the secret-store.
-  ## This id can later be used in plugins to reference the secrets
-  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
-  id = "secretstore"
-
-  ## Keyring name used for the secrets
-  # keyring = "telegraf"
-
-  ## Allow dynamic secrets that are updated during runtime of telegraf
-  # dynamic = false
--- a/plugins/secretstores/os/sample_windows.conf
+++ b/plugins/secretstores/os/sample_windows.conf
@ -1,15 +0,0 @@
-# Operating System native secret-store
-[[secretstores.os]]
-  ## Unique identifier for the secret-store.
-  ## This id can later be used in plugins to reference the secrets
-  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
-  id = "secretstore"
-
-  ## Keyring of the secrets
-  ## In Windows, keys follow a fixed pattern in the form `<keyring>:<collection>:<key>`. Please keep this in mind
-  ## when creating secrets with the Windows credential tool.
-  # keyring = "telegraf"
-  # collection = ""
-
-  ## Allow dynamic secrets that are updated during runtime of telegraf
-  # dynamic = false