-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Discussion] External secrets integration #2469
Comments
One idea could be to use something like gomplate (MIT License), since it has many of the needed integrations already built in ( see https://github.com/hairyhenderson/gomplate/tree/master/data ). It could be used within config/config.go and would follow a similar pattern to the current environment variable expansion ( opentelemetry-collector/config/config.go Line 683 in 9de6dd7
|
@alolita @jpkrohling - While not critical at this moment, could you provide your thoughts on this when you have some spare cycles? |
I like the proposal and I could have made use of that for the PR that introduced the I would make this opt-in with the possibility for components to register a callback, so that they can reload whatever needs to be reloaded when the config value changes. |
@pjanotti is looking into this. |
@pjanotti - Let me know if you would like assistance in your research and initial PRs. |
Hi @gramidt, @jpkrohling, @alolita and @tigrannajaryan here is a doc with a design based on some prototyping. I would love to get some quick feedback so we can make this available soon. |
Thanks for the proposal, @pjanotti! I left a couple of comments there. |
Thank you for the proposal, @pjanotti! I have added it to my queue to review this afternoon. |
@pjanotti - Passing this document around to get further feedback from our teams. I'll be sure to share the feedback in the near future. |
@pjanotti - I apologize for the delay. Our team overall loved the proposal. It went above what our expectation were and couldn't be more excited to see this take form. Let me know if you need anything at all. |
Hi! My company recently enabled Kyverno to identify Kubernetes vulnerabilities and reported a vulnerability since we inject an API key into an environment variable. Does anyone have an update on the resolution to this issue? |
Is your feature request related to a problem? Please describe.
The Collector does not provide a mechanism to retrieve secrets from external systems or processes. The current mechanisms are to either hardcode the secret in the corresponding config or use environment variable expansion. While the latter is better than the former, it still has significant room for improvement, since environment variables are prone to being accidentally exposed.
Key problems to think about:
This problem is currently affecting multiple components that rely on secrets. If any component would like to adopt a more secure mechanism for secret management, they would have to implement them independently. The below list is just to reference a type of issue that currently exists, and is not to be considered a comprehensive list:
Describe the solution you'd like
I would love a mechanism that's similar to the current environment variable expansion but allows for integration into secret managers, HSMs, and other options such as files. This approach would enable all components to support secure secrets without having to do anything initially. The tricky part is determining how to support secret rotations without restarting the collector.
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: