telegraf icon indicating copy to clipboard operation
telegraf copied to clipboard
verified publisher icon influxdata

Config via URL, security enhancement

Open Gauss23 opened this issue 11 months ago • 3 comments

Use Case

It's great to pull the config from an URL. Problem is, that this is a command line parameter which is visible to anyone on the system. It would be great to only have a minimal config file locally, which tells Telegraf where to look for the actual config. We could also configure things like: disable TLS verification and the config-url-watch-interval in this local config

Expected behavior

It would be great to use a local config file to tell Telegraf where to look for the actual config. This would improve the security, as we use the config roll-out via an URL with an API-key in it. We plan to also send config information which may contain sensitive data like login to a database to check if it's still alive. The local file could be put to a place where only admins have access to.

Actual behavior

Currently anyone on the local system can see the command line and copy the URL and is able to see the config data sent by the server.

Additional info

No response

Gauss23 avatar Dec 29 '24 21:12 Gauss23

I was recently thinking about this as well. IMHO it should be a new category of plugins where this one will be a plain http one, and others could be added like for example OpAMP.

Hipska avatar Jan 15 '25 11:01 Hipska

It would be great to get some progress here. The idea for a new plugin category sounds like a valid approach.

Gauss23 avatar Apr 18 '25 20:04 Gauss23

In order to progress on this would be to create a Spec PR, so sub-sequential PRs implementing this can be made.

Hipska avatar Aug 27 '25 10:08 Hipska