-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redact secrets in diagnostics collect command #241
Comments
First step here, hide fields that follow some common patterns:
@joshdover @ph could you please think about the long term solution and how we can mark fields as sensitive right from the integration definition? |
@joshdover @ph as the package spec PR is now done, do we really need to do this intermediary step #241 (comment) Shouldn't we directly rely on the secret type? |
We could still do the intermediate step as a stop-gap, but probably better to spend effort on the long-term solution. |
I believe we should do this, the long-term solution would only be delivered on 8.x and won't be backported to 7.x. Since we will support 7.x for quite some time and use the diagnostic subcommand time we should have that stop gap in and backported to 7.x. |
Another pattern would be certificate or other terms we use for the ssl/certificates configuration |
Hi @AndersonQ, We have verified below check-points for this feature on the latest 8.4.0-SNAPSHOT build. Build details:
Observations
Further, for the ssl/cert configuration, we have following Queries: Query 1: Could you please confirm if we need to validate any other check-points for the ssl/cert configuration other than Query 2: Could you please confirm ca-trusted_fingerprint value is not displayed as
Please let us know if we are missing anything while validating this feature. Thanks! CC: @michel-laterman |
Describe the enhancement:
The
elastic-agent diagnostics collect
command creates an archive that config files that have secret/sensitive data.These fields should be redacted before being written to the archive.
Additionally the private key of a cert should be redacted if it's inlined in the config and not a path to a file.
The text was updated successfully, but these errors were encountered: