fix(secretstores): cleanup duplicate printing (#12401)

cmd/telegraf/printer.go

@@ -146,24 +146,6 @@ func printSampleConfig(
 		}
 	}
 
-	// print secretstore plugins
-	if sliceContains("secretstores", sectionFilters) {
-		if len(secretstoreFilters) != 0 {
-			if len(secretstoreFilters) >= 3 && secretstoreFilters[1] != "none" {
-				fmt.Print(secretstoreHeader)
-			}
-			printFilteredSecretstores(secretstoreFilters, false, outputBuffer)
-		} else {
-			fmt.Print(secretstoreHeader)
-			snames := []string{}
-			for sname := range secretstores.SecretStores {
-				snames = append(snames, sname)
-			}
-			sort.Strings(snames)
-			printFilteredSecretstores(snames, true, outputBuffer)
-		}
-	}
-
 	// print output plugins
 	if sliceContains("outputs", sectionFilters) {
 		if len(outputFilters) != 0 {

config/secret.go

@@ -29,6 +29,9 @@ type Secret struct {
 	// unlinked contains all references in the secret that are not yet
 	// linked to the corresponding secret store.
 	unlinked []string
+
+	// Denotes if the secret is completely empty
+	notempty bool
 }
 
 // NewSecret creates a new secret from the given bytes
@@ -45,7 +48,7 @@ func (s *Secret) UnmarshalTOML(b []byte) error {
 
 	// Keep track of secrets that contain references to secret-stores
 	// for later resolving by the config.
-	if len(s.unlinked) > 0 {
+	if len(s.unlinked) > 0 && s.notempty {
 		unlinkedSecrets = append(unlinkedSecrets, s)
 	}
 
@@ -56,6 +59,9 @@ func (s *Secret) UnmarshalTOML(b []byte) error {
 func (s *Secret) init(b []byte) {
 	secret := unquoteTomlString(b)
 
+	// Remember if the secret is completely empty
+	s.notempty = len(secret) != 0
+
 	// Find all parts that need to be resolved and return them
 	s.unlinked = secretPattern.FindAllString(string(secret), -1)
 
@@ -68,6 +74,7 @@ func (s *Secret) init(b []byte) {
 func (s *Secret) Destroy() {
 	s.resolvers = nil
 	s.unlinked = nil
+	s.notempty = false
 
 	if s.enclave == nil {
 		return
@@ -81,6 +88,11 @@ func (s *Secret) Destroy() {
 	s.enclave = nil
 }
 
+// Empty return if the secret is completely empty
+func (s *Secret) Empty() bool {
+	return !s.notempty
+}
+
 // Get return the string representation of the secret
 func (s *Secret) Get() ([]byte, error) {
 	if s.enclave == nil {

plugins/inputs/http/http.go

@@ -186,19 +186,24 @@ func (h *HTTP) gatherURL(
 }
 
 func (h *HTTP) setRequestAuth(request *http.Request) error {
+	if h.Username.Empty() && h.Password.Empty() {
+		return nil
+	}
+
 	username, err := h.Username.Get()
 	if err != nil {
 		return fmt.Errorf("getting username failed: %v", err)
 	}
 	defer config.ReleaseSecret(username)
+
 	password, err := h.Password.Get()
 	if err != nil {
 		return fmt.Errorf("getting password failed: %v", err)
 	}
 	defer config.ReleaseSecret(password)
-	if len(username) != 0 || len(password) != 0 {
-		request.SetBasicAuth(string(username), string(password))
-	}
+
+	request.SetBasicAuth(string(username), string(password))
+
 	return nil
 }
 

plugins/secretstores/jose/README.md

@@ -3,8 +3,13 @@
 The `jose` plugin allows to manage and store secrets locally
 protected by the [Javascript Object Signing and Encryption][jose] algorithm.
 
-To manage your secrets of this secret-store, you should use the
-[secrets command of Telegraf](/docs/COMMANDS_AND_FLAGS.md#secrets-management).
+To manage your secrets of this secret-store, you should use Telegraf. Run
+
+```shell
+telegraf secrets help
+```
+
+to get more information on how to do this.
 
 ## Configuration
 
@@ -17,7 +22,7 @@ To manage your secrets of this secret-store, you should use the
   id = "secretstore"
 
   ## Directory for storing the secrets
-  # path = "secrets"
+  path = "/etc/telegraf/secrets"
 
   ## Password to access the secrets.
   ## If no password is specified here, Telegraf will prompt for it at startup time.

plugins/secretstores/jose/jose.go

@@ -12,8 +12,6 @@ import (
 	"github.com/influxdata/telegraf/plugins/secretstores"
 )
 
-// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data.
-//
 //go:embed sample.conf
 var sampleConfig string
 
@@ -37,10 +35,15 @@ func (j *Jose) Init() error {
 		return errors.New("id missing")
 	}
 
+	if j.Path == "" {
+		return errors.New("path missing")
+	}
+
 	passwd, err := j.Password.Get()
 	if err != nil {
 		return fmt.Errorf("getting password failed: %v", err)
 	}
+	defer config.ReleaseSecret(passwd)
 
 	// Create the prompt-function in case we need it
 	promptFunc := keyring.TerminalPrompt
@@ -100,9 +103,6 @@ func (j *Jose) GetResolver(key string) (telegraf.ResolveFunc, error) {
 // Register the secret-store on load.
 func init() {
 	secretstores.Add("jose", func(id string) telegraf.SecretStore {
-		return &Jose{
-			ID:   id,
-			Path: "secrets",
-		}
+		return &Jose{ID: id}
 	})
 }

plugins/secretstores/jose/jose_test.go

@@ -24,10 +24,18 @@ func TestInitFail(t *testing.T) {
 			plugin:   &Jose{},
 			expected: "id missing",
 		},
+		{
+			name: "missing path",
+			plugin: &Jose{
+				ID: "test",
+			},
+			expected: "path missing",
+		},
 		{
 			name: "invalid password",
 			plugin: &Jose{
 				ID:       "test",
+				Path:     os.TempDir(),
 				Password: config.NewSecret([]byte("@{unresolvable:secret}")),
 			},
 			expected: "getting password failed",

plugins/secretstores/jose/sample.conf

@@ -6,7 +6,7 @@
   id = "secretstore"
 
   ## Directory for storing the secrets
-  # path = "secrets"
+  path = "/etc/telegraf/secrets"
 
   ## Password to access the secrets.
   ## If no password is specified here, Telegraf will prompt for it at startup time.

plugins/secretstores/os/README.md

@@ -4,9 +4,14 @@ The `os` plugin allows to manage and store secrets using the native Operating
 System keyring. For Windows this plugin uses the credential manager, on Linux
 the kernel keyring is used and on MacOS we use the Keychain implementation.
 
-To manage your secrets you can either use the
-[secrets command of Telegraf](/docs/COMMANDS_AND_FLAGS.md#secrets-management)
-or the tools that natively comes with your operating system.
+To manage your secrets you can either use Telegraf or the tools that natively
+comes with your operating system. Run
+
+```shell
+telegraf secrets help
+```
+
+to get more information on how to do this with Telegraf.
 
 ## Configuration
 

plugins/secretstores/os/os.go

@@ -1,5 +1,4 @@
 //go:build darwin || linux || windows
-// +build darwin linux windows
 
 //go:generate ../../../tools/readme_config_includer/generator
 package os

plugins/secretstores/os/os_darwin.go

@@ -1,5 +1,4 @@
 //go:build darwin
-// +build darwin
 
 package os
 
@@ -12,8 +11,6 @@ import (
 	"github.com/influxdata/telegraf/config"
 )
 
-// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data.
-//
 //go:embed sample_darwin.conf
 var sampleConfig string
 

plugins/secretstores/os/os_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package os
 
@@ -9,8 +8,6 @@ import (
 	"github.com/99designs/keyring"
 )
 
-// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data.
-//
 //go:embed sample_linux.conf
 var sampleConfig string
 

plugins/secretstores/os/os_test.go

@@ -1,5 +1,4 @@
 //go:build darwin || linux || windows
-// +build darwin linux windows
 
 package os
 

plugins/secretstores/os/os_windows.go

@@ -1,5 +1,4 @@
 //go:build windows
-// +build windows
 
 package os
 
@@ -9,8 +8,6 @@ import (
 	"github.com/99designs/keyring"
 )
 
-// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data.
-//
 //go:embed sample_windows.conf
 var sampleConfig string