Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upPrometheus doesn't elide all secrets in config #2722
Comments
brian-brazil
added
the
kind/bug
label
May 15, 2017
This comment has been minimized.
This comment has been minimized.
|
We have/had support for this via a dedicated `Secret` type and never ended
up using it for that exact reason of comments and newlines being removed.
Seems like we should re-evaluate whether we are willing to make the
tradeoff vs. hacking around with regexes further.
…On Mon, May 15, 2017 at 4:24 PM Brian Brazil ***@***.***> wrote:
The way we're hiding secrets in configs is based on a regex that hides the
secret as long as it's on the same line as the field name.
This breaks if the secret is spread across multiple lines, such as is
common with SSL certs.
We should either hide secrets in all cases, or in no cases to avoid giving
a false sense of security.
The proper way to do this would be to re-marshall the YAML with secrets
elided. This will however lose all comments, as there doesn't appear to be
a Go YAML library that preserves comments.
On the minor plus side we'd be more likely to notice certain rare YAML
formatting mistakes.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2722>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEuA8l8bJoT6qpsm0podOMoB7A4ynEtKks5r6GAJgaJpZM4NbNSL>
.
|
This comment has been minimized.
This comment has been minimized.
|
I don't think we can do much more with regexes, as we're getting into writing our own parser at that stage. |
fabxc
referenced this issue
May 15, 2017
Merged
Expose current Prometheus config via /status/config #2711
This comment has been minimized.
This comment has been minimized.
|
|
This comment has been minimized.
This comment has been minimized.
|
Okay, lacking a better alternative it looks like we'll be offering up a re-marshalled config without comments. I suggest keeping the docs around this broad enough that they'll cover a future switch to something with comments. |
Conorbro
referenced this issue
May 26, 2017
Merged
Replace regex with Secret type and remarshal config to hide secrets #2775
brian-brazil
closed this
in
#2775
May 29, 2017
This comment has been minimized.
This comment has been minimized.
lock
bot
commented
Mar 23, 2019
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
lock
bot
locked and limited conversation to collaborators
Mar 23, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
brian-brazil commentedMay 15, 2017
The way we're hiding secrets in configs is based on a regex that hides the secret as long as it's on the same line as the field name.
This breaks if the secret is spread across multiple lines, such as is common with SSL certs.
We should either hide secrets in all cases, or in no cases to avoid giving a false sense of security.
The proper way to do this would be to re-marshall the YAML with secrets elided. This will however lose all comments, as there doesn't appear to be a Go YAML library that preserves comments.
On the minor plus side we'd be more likely to notice certain rare YAML formatting mistakes.