Enhance security: prevent Loki credentials exposure in redis #7904
Description
Currently, the loki credentials are published in the public part of Redis. Relevant credentials are: LOKI_LOGS_INGRESS_TOKEN, LOKI_API_AUTH_USERNAME, LOKI_API_AUTH_PASSWORD.
If an attacker gains access to Redis, he may access the logs of the cluster.
The credentials needs to be shared across nodes and applications to access Loki.
The most important application that need access to these credentials is ns8-metrics
A list of applications that uses those info is available in this Github search.
Please also note that the core uses the credentials inside the logcli utility.
Proposed solution
Implement measures to avoid publishing credentials to Redis and add a new lokiadm that can invoke a reveal-credentials action, similar to what has been done inside ns8-mail package.
Alternative solutions
- Keep the credentials inside Redis and protect them with special ACLs