Skip to content

fix: move non-sensitive data out of secrets.toml - BED-8838#57

Merged
StranDutton merged 1 commit into
fix/0.2.12from
fix/BED-8838-split-secret-config
Jul 7, 2026
Merged

fix: move non-sensitive data out of secrets.toml - BED-8838#57
StranDutton merged 1 commit into
fix/0.2.12from
fix/BED-8838-split-secret-config

Conversation

@StranDutton

@StranDutton StranDutton commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Splits the BHE destination url out of secrets.toml and into config.toml, so that secrets.toml contains only credentials (token id and key), while config.toml holds non-sensitive config.

/resolves BED-8838

Note

This change is backward-compatible - existing collectors will still work if URL is left in secrets_<collector-name>.toml after the update. Read below to find relevant DLT documentation that confirms this behavior.

  • Updated example enterprise configs (extension-specific and general secrets.toml / config.toml) to reflect changes.
  • Updated comments in docker-compose.yml (for enterprise) to reflect changes.
  • Updated Helm README and comments related to the change
  • Also removed a stale reference to interval which needed to be removed
  • Ran locally and confirmed behavior.

DLT Config Documentation - our situation applies to rule #4.
-> Previously, we referenced the BHE URL via dlt.secrets.value - this meant that value had to be defined as an env variable or inside of secrets.toml. Because of how secret injection works, our update to now grab the URL from dlt.config.value allows DLT to search through the 2 previously mentioned places (env variables and secrets.toml) in ADDITION to config.toml. As a result, the URL can now be defined in secrets.toml or config.toml. **One caveat ** is that if URL is that, if URL defined in both files, the one in secrets.toml will take precedence after this change due to DLT's hierarchy.

Summary by CodeRabbit

  • Bug Fixes

    • The BloodHound Enterprise destination URL now comes from standard configuration by default, making setup more straightforward and keeping sensitive credentials separate.
  • Documentation

    • Updated setup examples to show the destination URL as a non-sensitive setting.
    • Clarified that only token-based credentials should be stored in secrets files.
    • Refined sample configuration and compose guidance to match the new setup flow.

@StranDutton StranDutton self-assigned this Jul 6, 2026
@StranDutton StranDutton changed the title fix: move non-sensitive data out of secrets.toml fix: move non-sensitive data out of secrets.toml - BED-8838 Jul 6, 2026
@StranDutton

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a25d304-ad2e-4489-98a6-81b10ffb4e5f

📥 Commits

Reviewing files that changed from the base of the PR and between 96443ca and b3f68b1.

📒 Files selected for processing (8)
  • deployments/helm/openhound/README.md
  • deployments/helm/values.example.yaml
  • example-configurations/bloodhound-enterprise/.dlt-example/config.toml
  • example-configurations/bloodhound-enterprise/.dlt-example/secrets_github.toml
  • example-configurations/bloodhound-enterprise/.dlt-example/secrets_jamf.toml
  • example-configurations/bloodhound-enterprise/.dlt-example/secrets_okta.toml
  • example-configurations/bloodhound-enterprise/docker-compose.yml
  • src/openhound/destinations/bloodhound_enterprise/destination.py
💤 Files with no reviewable changes (3)
  • example-configurations/bloodhound-enterprise/.dlt-example/secrets_github.toml
  • example-configurations/bloodhound-enterprise/.dlt-example/secrets_jamf.toml
  • example-configurations/bloodhound-enterprise/.dlt-example/secrets_okta.toml

Walkthrough

The BloodHound Enterprise destination's url parameter default source changed from dlt.secrets.value to dlt.config.value. Example configuration files, secrets files, Helm values, README, and docker-compose comments were updated accordingly to move url out of secrets and into config.

Changes

BHE URL config vs secrets migration

Layer / File(s) Summary
Destination default source change
src/openhound/destinations/bloodhound_enterprise/destination.py
The url parameter default changed from dlt.secrets.value to dlt.config.value.
Example config and secrets files
example-configurations/bloodhound-enterprise/.dlt-example/config.toml, example-configurations/bloodhound-enterprise/.dlt-example/secrets_github.toml, example-configurations/bloodhound-enterprise/.dlt-example/secrets_jamf.toml, example-configurations/bloodhound-enterprise/.dlt-example/secrets_okta.toml
Added url = "bhe_url" to config.toml under [destination.bloodhoundenterprise] and removed url from the corresponding secrets files, leaving only token_id and token_key.
Documentation updates
deployments/helm/openhound/README.md, deployments/helm/values.example.yaml, example-configurations/bloodhound-enterprise/docker-compose.yml
Updated comments/examples to clarify the URL is non-sensitive config while credentials belong in secrets.toml.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

Not applicable — the changes are configuration/documentation adjustments and a single default-value switch, with no new multi-component control flow.

Poem

A hop, a skip, a config swap,
The URL's secret days now stop.
From secrets.value it takes its leave,
To config.value it now believes.
Tokens stay hidden, safe and sound —
This bunny's docs are tidy, bound! 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: moving non-sensitive configuration out of secrets.toml into config.toml.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/BED-8838-split-secret-config

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@StranDutton

Copy link
Copy Markdown
Contributor Author

Need to coordinate the release timing so that public/official documentation is updated at the same time

@StranDutton StranDutton merged commit adfa241 into fix/0.2.12 Jul 7, 2026
6 checks passed
@StranDutton StranDutton mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant