Support for passing username, password & priv_password as env vars #1074
Conversation
|
Now that auths are completely separated out, and snmp_exporter can read multiple config files, I see less of a need for this. For example, in Kubernetes you can create a secret with all the auths you need, and load it in addition to the main snmp.yml. |
|
Hi @candlerb, Thanks for your feedback. As I mentioned in the description, we are targeting this deployment on Azure functions where in we can inject credentials directly as env vars. Many apps support credentials to be loaded via environment variables. Are there any constraints wrt., snmp_exporter with this approach I am not aware of? |
There was a problem hiding this comment.
In order to support this, I would like to see two changes.
- This should be behind a flag, disabled by default, for backwards compatibility.
--config.expand-environment-variables. - Use https://pkg.go.dev/os#Expand instead of a custom parser.
This would make it better match the Prometheus behavior (prometheus/prometheus#8649).
|
Are you still interested in implementing this? I think it would be very much appreciated. |
|
Hi @SuperQ, I am on vacation & will be back next week. I shall rework this #PR as per your review. I hope it's okay for you. Thanks, |
Signed-off-by: Harshavardhan Musanalli <[email protected]>
|
Hi @SuperQ , I've made added Could you please share your feedback? |
Co-authored-by: Ben Kochie <[email protected]> Signed-off-by: Harshavardhan Musanalli <[email protected]>
Co-authored-by: Ben Kochie <[email protected]> Signed-off-by: Harshavardhan Musanalli <[email protected]>
Co-authored-by: Ben Kochie <[email protected]> Signed-off-by: Harshavardhan Musanalli <[email protected]>
|
Hi @SuperQ , I made amendments to README.md docs as per the review. Thanks again for your support here. |
|
Hi @SuperQ, This change broke SNMPv3 by removing the lines that need to go in config.go after 155 and 171 respectively: and usm.PrivacyPassphrase = string(c.PrivPassword) after adding the back in to the code, I tried running with having variables set via environment and in the snmp.yml and both worked. without them I was getting the error: securityParameter.PrivacyPassphrase is required when a privacy protocol is specified |
|
@RobertBergman Oops, I'm surprised this didn't show up in our unit tests. Do you want to open a fix PR? |
|
@SuperQ sorry, I'm not familiar with the process. |
…o go in config.go after 155 and 171 respectively: usm.AuthenticationPassphrase = string(c.Password) and usm.PrivacyPassphrase = string(c.PrivPassword) after adding the back in to the code, I tried running with having variables set via environment and in the snmp.yml and both worked. without them I was getting the error: securityParameter.PrivacyPassphrase is required when a privacy protocol is specified
|
I figured it out. PR submitted
…On Sat, Feb 24, 2024 at 11:23 AM Ben Kochie ***@***.***> wrote:
@RobertBergman <https://github.com/RobertBergman> Oops, I'm surprised
this didn't show up in our unit tests. Do you want to open a fix PR?
—
Reply to this email directly, view it on GitHub
<#1074 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABMCLZZI5GQGR5PGHOLW56DYVI427AVCNFSM6AAAAABATSTMI6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRSGU4TSNZTHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
…o go in config.go after 155 and 171 respectively: usm.AuthenticationPassphrase = string(c.Password) and usm.PrivacyPassphrase = string(c.PrivPassword) after adding the back in to the code, I tried running with having variables set via environment and in the snmp.yml and both worked. without them I was getting the error: securityParameter.PrivacyPassphrase is required when a privacy protocol is specified Signed-off-by: Robert Bergman <[email protected]>
…o go in config.go after 155 and 171 respectively: usm.AuthenticationPassphrase = string(c.Password) and usm.PrivacyPassphrase = string(c.PrivPassword) after adding the back in to the code, I tried running with having variables set via environment and in the snmp.yml and both worked. without them I was getting the error: securityParameter.PrivacyPassphrase is required when a privacy protocol is specified Signed-off-by: Robert Bergman <[email protected]>
* Add SNMPInflight metric (#1119) * Add SNMPInflight metric --------- Signed-off-by: Kakuya Ando <[email protected]> Signed-off-by: Robert Bergman <[email protected]> * change #1074 broke SNMPv3 by removing the lines that need to go in config.go after 155 and 171 respectively: usm.AuthenticationPassphrase = string(c.Password) and usm.PrivacyPassphrase = string(c.PrivPassword) after adding the back in to the code, I tried running with having variables set via environment and in the snmp.yml and both worked. without them I was getting the error: securityParameter.PrivacyPassphrase is required when a privacy protocol is specified Signed-off-by: Robert Bergman <[email protected]> --------- Signed-off-by: Kakuya Ando <[email protected]> Signed-off-by: Robert Bergman <[email protected]> Co-authored-by: Kakuya Ando <[email protected]>
| @@ -123,6 +123,8 @@ using SNMP v2 GETBULK. | |||
| The `--config.file` parameter can be used multiple times to load more than one file. | |||
| It also supports [glob filename matching](https://pkg.go.dev/path/filepath#Glob), e.g. `snmp*.yml`. | |||
|
|
|||
| The `--config.expand-environment-variables` parameter allows passing environment variables into some fields of the configuration file. The `username`, `password` & `priv_password` fields in the auths section are supported. Defaults to disabled. | |||
|
|
|||
There was a problem hiding this comment.
I wonder if "community" should be allowed too, for consistency? (Although this may interact with community having a default value of "public")
There was a problem hiding this comment.
I see this and without diving deep think that SNMPv3 doesn't use community.
There was a problem hiding this comment.
You are correct. I mean for use with v1/v2c, which some people still do use, and requires a "secret" community (albeit sent over the wire in clear text)
* [CHANGE] Improve generator parse error handling #1167 * [ENHANCEMENT] generator: Add generator HELP override #1106 * [ENHANCEMENT] Refactoring of Scrape process, fixing multiple module issues #1111 * [ENHANCEMENT] Skip using an interactive terminal in "make docker-generate". #1113 * [ENHANCEMENT] Add SNMPInflight metric #1119 * [FEATURE] Support for passing username, password & priv_password as env vars #1074 * [FEATURE] Add GoSNMP logger #1157 * [FEATURE] Add a "snmp_context" parameter to the URL #1163 * [BUGFIX] generator: curl failed #1094 * [BUGFIX] Fix SNMPv3 password configuration #1122 * [BUGFIX] generator: Update generator User-Agent #1133 * [BUGFIX] generator: fix mibs directory specification for parse_errors command #1135 * [BUGFIX] generator: remove extra character from dell iDrac-SMIv1 MIB #1141 * [BUGFIX] Fix do not expand envvars for empty config fields #1148 snmp.yml changes: * Updated Cisco MIBs #1180 * Updated Cyberpower MIBs #1124 * Updated servertech_sentry3 #1090 * Added support for Dell iDrac #1125 --------- Signed-off-by: Sebastian Schubert <[email protected]>
Hi,
This PR aims to pass sensitive data such as
username,password&priv_passwordas environment variables.The exporter binary looks for the environment variable presence, if present it fetches the value & pass the same as configuration to the binary.
I know in the past #459 was closed. Nevertheless, times have changed & new set of apps inject env vars in a safe manner. For instance Azure functions have a clever way of injecting keyvault references as env vars for the apps running in their environment. In this case, there is no need of resolving the template or writing unnecessary entrypoint scripts to circumvent them.
Looking forward to have your feedback on this.