docker

package
v1.28.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 15, 2023 License: MIT Imports: 7 Imported by: 0

README

Docker Secrets Secret-Store Plugin

The docker plugin allows to utilize credentials and secrets mounted by Docker during container runtime. The secrets are mounted as files under the /run/secrets directory within the container.

NOTE: This plugin can ONLY read the mounted secrets from Docker and NOT set them.

Usage

Secrets defined by a store are referenced with @{<store-id>:<secret_key>} the Telegraf configuration. Only certain Telegraf plugins and options of support secret stores. To see which plugins and options support secrets, see their respective documentation (e.g. plugins/outputs/influxdb/README.md). If the plugin's README has the Secret-store support section, it will detail which options support secret store usage.

Configuration

# Secret-store to access Docker Secrets
[[secretstores.docker]]
  ## Unique identifier for the secretstore.
  ## This id can later be used in plugins to reference the secrets
  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
  id = "docker_secretstore"

  ## Default Path to directory where docker stores the secrets file
  ## Current implementation in docker compose v2 only allows the following
  ## value for the path where the secrets are mounted at runtime
  # path = "/run/secrets"

  ## Allow dynamic secrets that are updated during runtime of telegraf
  ## Dynamic Secrets work only with `file` or `external` configuration
  ## in `secrets` section of the `docker-compose.yml` file
  # dynamic = false

Each Secret mentioned within a Compose service's secrets parameter will be available as file under the /run/secrets/<secret-name> within the container.

It is possible to let Telegraf pick changed secret values into plugins by setting dynamic = true. This feature will work only for Docker Secrets provided via file and external type within the docker-compose.yml file and not when using environment type (Refer here Docker Secrets in Compose Specification).

Example Compose File

services:
  telegraf:
    image: docker.io/telegraf:latest
    container_name: dockersecret_telegraf
    user: "${USERID}" # Required to access the /run/secrets directory in container
    secrets:
      - secret_for_plugin
    volumes:
      - /path/to/telegrafconf/host:/etc/telegraf/telegraf.conf:ro

secrets:
  secret_for_plugin:
    environment: TELEGRAF_PLUGIN_CREDENTIAL

here the TELEGRAF_PLUGIN_CREDENTIAL exists in a .env file in the same directory as the docker-compose.yml. An example of the .env file can be as follows:

TELEGRAF_PLUGIN_CREDENTIAL=superSecretStuff
# determine this value by executing `id -u` in terminal
USERID=1000
Referencing Secret within a Plugin

Referencing the secret within a plugin occurs by:

[[inputs.<some_plugin>]]
  password = "@{docker_secretstore:secret_for_plugin}"

Additonal Information

Docker Secrets in Swarm

Creating Secrets in Docker

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Docker

type Docker struct {
	ID      string `toml:"id"`
	Path    string `toml:"path"`
	Dynamic bool   `toml:"dynamic"`
}

func (*Docker) Get

func (d *Docker) Get(key string) ([]byte, error)

func (*Docker) GetResolver

func (d *Docker) GetResolver(key string) (telegraf.ResolveFunc, error)

GetResolver returns a function to resolve the given key.

func (*Docker) Init

func (d *Docker) Init() error

Init initializes all internals of the secret-store

func (*Docker) List

func (d *Docker) List() ([]string, error)

func (*Docker) SampleConfig

func (*Docker) SampleConfig() string

func (*Docker) Set

func (d *Docker) Set(_, _ string) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL