diff --git a/cmd/telegraf/printer.go b/cmd/telegraf/printer.go index 72dc41cb0..1cdffa6c6 100644 --- a/cmd/telegraf/printer.go +++ b/cmd/telegraf/printer.go @@ -146,24 +146,6 @@ func printSampleConfig( } } - // print secretstore plugins - if sliceContains("secretstores", sectionFilters) { - if len(secretstoreFilters) != 0 { - if len(secretstoreFilters) >= 3 && secretstoreFilters[1] != "none" { - fmt.Print(secretstoreHeader) - } - printFilteredSecretstores(secretstoreFilters, false, outputBuffer) - } else { - fmt.Print(secretstoreHeader) - snames := []string{} - for sname := range secretstores.SecretStores { - snames = append(snames, sname) - } - sort.Strings(snames) - printFilteredSecretstores(snames, true, outputBuffer) - } - } - // print output plugins if sliceContains("outputs", sectionFilters) { if len(outputFilters) != 0 { diff --git a/config/secret.go b/config/secret.go index dd3c38113..5cb12c592 100644 --- a/config/secret.go +++ b/config/secret.go @@ -29,6 +29,9 @@ type Secret struct { // unlinked contains all references in the secret that are not yet // linked to the corresponding secret store. unlinked []string + + // Denotes if the secret is completely empty + notempty bool } // NewSecret creates a new secret from the given bytes @@ -45,7 +48,7 @@ func (s *Secret) UnmarshalTOML(b []byte) error { // Keep track of secrets that contain references to secret-stores // for later resolving by the config. - if len(s.unlinked) > 0 { + if len(s.unlinked) > 0 && s.notempty { unlinkedSecrets = append(unlinkedSecrets, s) } @@ -56,6 +59,9 @@ func (s *Secret) UnmarshalTOML(b []byte) error { func (s *Secret) init(b []byte) { secret := unquoteTomlString(b) + // Remember if the secret is completely empty + s.notempty = len(secret) != 0 + // Find all parts that need to be resolved and return them s.unlinked = secretPattern.FindAllString(string(secret), -1) @@ -68,6 +74,7 @@ func (s *Secret) init(b []byte) { func (s *Secret) Destroy() { s.resolvers = nil s.unlinked = nil + s.notempty = false if s.enclave == nil { return @@ -81,6 +88,11 @@ func (s *Secret) Destroy() { s.enclave = nil } +// Empty return if the secret is completely empty +func (s *Secret) Empty() bool { + return !s.notempty +} + // Get return the string representation of the secret func (s *Secret) Get() ([]byte, error) { if s.enclave == nil { diff --git a/plugins/inputs/http/http.go b/plugins/inputs/http/http.go index aa031e0b3..f6456929b 100644 --- a/plugins/inputs/http/http.go +++ b/plugins/inputs/http/http.go @@ -186,19 +186,24 @@ func (h *HTTP) gatherURL( } func (h *HTTP) setRequestAuth(request *http.Request) error { + if h.Username.Empty() && h.Password.Empty() { + return nil + } + username, err := h.Username.Get() if err != nil { return fmt.Errorf("getting username failed: %v", err) } defer config.ReleaseSecret(username) + password, err := h.Password.Get() if err != nil { return fmt.Errorf("getting password failed: %v", err) } defer config.ReleaseSecret(password) - if len(username) != 0 || len(password) != 0 { - request.SetBasicAuth(string(username), string(password)) - } + + request.SetBasicAuth(string(username), string(password)) + return nil } diff --git a/plugins/secretstores/jose/README.md b/plugins/secretstores/jose/README.md index 1d29890d2..15ff7394b 100644 --- a/plugins/secretstores/jose/README.md +++ b/plugins/secretstores/jose/README.md @@ -3,8 +3,13 @@ The `jose` plugin allows to manage and store secrets locally protected by the [Javascript Object Signing and Encryption][jose] algorithm. -To manage your secrets of this secret-store, you should use the -[secrets command of Telegraf](/docs/COMMANDS_AND_FLAGS.md#secrets-management). +To manage your secrets of this secret-store, you should use Telegraf. Run + +```shell +telegraf secrets help +``` + +to get more information on how to do this. ## Configuration @@ -17,7 +22,7 @@ To manage your secrets of this secret-store, you should use the id = "secretstore" ## Directory for storing the secrets - # path = "secrets" + path = "/etc/telegraf/secrets" ## Password to access the secrets. ## If no password is specified here, Telegraf will prompt for it at startup time. diff --git a/plugins/secretstores/jose/jose.go b/plugins/secretstores/jose/jose.go index b0ccf3304..e955afe91 100644 --- a/plugins/secretstores/jose/jose.go +++ b/plugins/secretstores/jose/jose.go @@ -12,8 +12,6 @@ import ( "github.com/influxdata/telegraf/plugins/secretstores" ) -// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data. -// //go:embed sample.conf var sampleConfig string @@ -37,10 +35,15 @@ func (j *Jose) Init() error { return errors.New("id missing") } + if j.Path == "" { + return errors.New("path missing") + } + passwd, err := j.Password.Get() if err != nil { return fmt.Errorf("getting password failed: %v", err) } + defer config.ReleaseSecret(passwd) // Create the prompt-function in case we need it promptFunc := keyring.TerminalPrompt @@ -100,9 +103,6 @@ func (j *Jose) GetResolver(key string) (telegraf.ResolveFunc, error) { // Register the secret-store on load. func init() { secretstores.Add("jose", func(id string) telegraf.SecretStore { - return &Jose{ - ID: id, - Path: "secrets", - } + return &Jose{ID: id} }) } diff --git a/plugins/secretstores/jose/jose_test.go b/plugins/secretstores/jose/jose_test.go index a077f80b4..25fbc13d7 100644 --- a/plugins/secretstores/jose/jose_test.go +++ b/plugins/secretstores/jose/jose_test.go @@ -24,10 +24,18 @@ func TestInitFail(t *testing.T) { plugin: &Jose{}, expected: "id missing", }, + { + name: "missing path", + plugin: &Jose{ + ID: "test", + }, + expected: "path missing", + }, { name: "invalid password", plugin: &Jose{ ID: "test", + Path: os.TempDir(), Password: config.NewSecret([]byte("@{unresolvable:secret}")), }, expected: "getting password failed", diff --git a/plugins/secretstores/jose/sample.conf b/plugins/secretstores/jose/sample.conf index 844eb4800..9c6ba2ab4 100644 --- a/plugins/secretstores/jose/sample.conf +++ b/plugins/secretstores/jose/sample.conf @@ -6,7 +6,7 @@ id = "secretstore" ## Directory for storing the secrets - # path = "secrets" + path = "/etc/telegraf/secrets" ## Password to access the secrets. ## If no password is specified here, Telegraf will prompt for it at startup time. diff --git a/plugins/secretstores/os/README.md b/plugins/secretstores/os/README.md index af89c6cfc..c9a485e00 100644 --- a/plugins/secretstores/os/README.md +++ b/plugins/secretstores/os/README.md @@ -4,9 +4,14 @@ The `os` plugin allows to manage and store secrets using the native Operating System keyring. For Windows this plugin uses the credential manager, on Linux the kernel keyring is used and on MacOS we use the Keychain implementation. -To manage your secrets you can either use the -[secrets command of Telegraf](/docs/COMMANDS_AND_FLAGS.md#secrets-management) -or the tools that natively comes with your operating system. +To manage your secrets you can either use Telegraf or the tools that natively +comes with your operating system. Run + +```shell +telegraf secrets help +``` + +to get more information on how to do this with Telegraf. ## Configuration diff --git a/plugins/secretstores/os/os.go b/plugins/secretstores/os/os.go index 73dd99fc1..efdcfbb8a 100644 --- a/plugins/secretstores/os/os.go +++ b/plugins/secretstores/os/os.go @@ -1,5 +1,4 @@ //go:build darwin || linux || windows -// +build darwin linux windows //go:generate ../../../tools/readme_config_includer/generator package os diff --git a/plugins/secretstores/os/os_darwin.go b/plugins/secretstores/os/os_darwin.go index 26ae211b6..1357ebd5b 100644 --- a/plugins/secretstores/os/os_darwin.go +++ b/plugins/secretstores/os/os_darwin.go @@ -1,5 +1,4 @@ //go:build darwin -// +build darwin package os @@ -12,8 +11,6 @@ import ( "github.com/influxdata/telegraf/config" ) -// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data. -// //go:embed sample_darwin.conf var sampleConfig string diff --git a/plugins/secretstores/os/os_linux.go b/plugins/secretstores/os/os_linux.go index 9e078f256..b156d00e7 100644 --- a/plugins/secretstores/os/os_linux.go +++ b/plugins/secretstores/os/os_linux.go @@ -1,5 +1,4 @@ //go:build linux -// +build linux package os @@ -9,8 +8,6 @@ import ( "github.com/99designs/keyring" ) -// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data. -// //go:embed sample_linux.conf var sampleConfig string diff --git a/plugins/secretstores/os/os_test.go b/plugins/secretstores/os/os_test.go index 73aee721a..9e9d59c1a 100644 --- a/plugins/secretstores/os/os_test.go +++ b/plugins/secretstores/os/os_test.go @@ -1,5 +1,4 @@ //go:build darwin || linux || windows -// +build darwin linux windows package os diff --git a/plugins/secretstores/os/os_windows.go b/plugins/secretstores/os/os_windows.go index 806ba35d5..f00e92d06 100644 --- a/plugins/secretstores/os/os_windows.go +++ b/plugins/secretstores/os/os_windows.go @@ -1,5 +1,4 @@ //go:build windows -// +build windows package os @@ -9,8 +8,6 @@ import ( "github.com/99designs/keyring" ) -// DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data. -// //go:embed sample_windows.conf var sampleConfig string