vector icon indicating copy to clipboard operation
vector copied to clipboard

Published 20 hours ago verified publisher icon vectordotdev

feat(config): support loading secrets from files and directories

Open tie opened this issue 1 year ago • 4 comments
trafficstars

This change adds a secrets backend that retrieves secrets from files and directories. For example, this is useful for loading secrets from systemd credentials directory and similar mechanisms. E.g.

[secret.systemd_credentials]
type = "directory"
path = "$CREDENTIALS_DIRECTORY"
remove_trailing_whitespace = true

SECRET[systemd_credentials.password.txt]$CREDENTIALS_DIRECTORY/password.txt

Closes #20747

References:

  • #21270
  • https://github.com/vectordotdev/vector/pull/20138#pullrequestreview-1968616241

tie avatar Sep 12 '24 12:09 tie

CLA assistant check
All committers have signed the CLA.

bits-bot avatar Sep 12 '24 12:09 bits-bot

Could you add a changelog fragment here? I attempted to, but I'm not able to push to this branch. You can apply this diff:

ffbf204849 - (HEAD -> tie/master) add changelog entry (32 seconds ago) <Jesse Szwedko>
diff --git a/changelog.d/add-file-secrets.enhancement.md b/changelog.d/add-file-secrets.enhancement.md
new file mode 100644
index 0000000000..6c80fe8540
--- /dev/null
+++ b/changelog.d/add-file-secrets.enhancement.md
@@ -0,0 +1,4 @@
+Vector now supports two additional back-ends for loading secrets: `file`, for leading a set of
+secrets from a JSON file, and `directory`, for loading secrets from a list of files.
+
+authors: tie

jszwedko avatar Oct 11 '24 21:10 jszwedko

@jszwedko, done.

tie avatar Oct 15 '24 07:10 tie

Can you please run:

./website/scripts/cue.sh fmt
CI=true make check-docs

and commit the result? I tried to do it but cannot push to the fork directly.

pront avatar Oct 17 '24 17:10 pront

@pront, done. Note that running ./website/scripts/cue.sh fmt changed many other unrelated files so I’ve only pushed the changes to website/cue/reference/configuration.cue.

tie avatar Oct 20 '24 21:10 tie

Regression Detector Results

Run ID: 8c3e08d5-2d29-4279-b8f7-7b92203ba859 Metrics dashboard

Baseline: dc441a28bb8dda527e79bbc3e8145bcb5ee0cadf Comparison: 96e55620701a9f1150e31319707ce09ea5ee69fb

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI links
file_to_blackhole egress throughput -2.06 [-6.24, +2.12]

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI links
otlp_http_to_blackhole ingress throughput +3.70 [+3.62, +3.79]
socket_to_socket_blackhole ingress throughput +3.15 [+3.09, +3.21]
datadog_agent_remap_datadog_logs_acks ingress throughput +3.14 [+2.96, +3.32]
http_elasticsearch ingress throughput +2.52 [+2.37, +2.67]
syslog_log2metric_splunk_hec_metrics ingress throughput +2.41 [+2.31, +2.51]
otlp_grpc_to_blackhole ingress throughput +2.26 [+2.06, +2.46]
http_text_to_http_json ingress throughput +1.37 [+1.22, +1.52]
splunk_hec_route_s3 ingress throughput +0.99 [+0.70, +1.28]
syslog_log2metric_tag_cardinality_limit_blackhole ingress throughput +0.70 [+0.65, +0.76]
syslog_log2metric_humio_metrics ingress throughput +0.52 [+0.41, +0.63]
datadog_agent_remap_datadog_logs ingress throughput +0.06 [-0.12, +0.23]
splunk_hec_indexer_ack_blackhole ingress throughput +0.00 [-0.02, +0.02]
splunk_hec_to_splunk_hec_logs_noack ingress throughput -0.00 [-0.02, +0.02]
http_to_http_noack ingress throughput -0.00 [-0.06, +0.05]
http_to_http_json ingress throughput -0.00 [-0.05, +0.04]
syslog_loki ingress throughput -0.01 [-0.06, +0.05]
http_to_http_acks ingress throughput -0.03 [-0.52, +0.46]
splunk_hec_to_splunk_hec_logs_acks ingress throughput -0.04 [-0.07, -0.01]
syslog_splunk_hec_logs ingress throughput -0.40 [-0.47, -0.33]
fluent_elasticsearch ingress throughput -0.60 [-1.14, -0.06]
syslog_humio_logs ingress throughput -0.85 [-0.97, -0.73]
datadog_agent_remap_blackhole_acks ingress throughput -0.93 [-1.01, -0.84]
http_to_s3 ingress throughput -0.96 [-1.14, -0.79]
syslog_regex_logs2metric_ddmetrics ingress throughput -1.01 [-1.19, -0.84]
file_to_blackhole egress throughput -2.06 [-6.24, +2.12]
datadog_agent_remap_blackhole ingress throughput -4.61 [-4.80, -4.42]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

github-actions[bot] avatar Oct 21 '24 15:10 github-actions[bot]

make test-behavior failed because it tries to run vector test against all files in tests/behavior/config directory, including test data. I’ve moved these files to tests/data/secret-backends.

tie avatar Oct 21 '24 16:10 tie

Aha, thanks @tie

jszwedko avatar Oct 21 '24 17:10 jszwedko

Regression Detector Results

Run ID: d3257d88-8f4e-4fde-a6c3-5ecbec24ceba Metrics dashboard

Baseline: 75c5a4d5f0b7004091ee4dd1b1595d9daf64b572 Comparison: a8c0b6ee596999b28fb0bb136fdc55dce7eb361d

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

Significant changes in experiment optimization goals

Confidence level: 90.00% Effect size tolerance: |Δ mean %| ≥ 5.00%

perf experiment goal Δ mean % Δ mean % CI links
http_text_to_http_json ingress throughput +5.99 [+5.81, +6.16]

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI links
file_to_blackhole egress throughput -3.09 [-7.24, +1.07]

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI links
http_text_to_http_json ingress throughput +5.99 [+5.81, +6.16]
socket_to_socket_blackhole ingress throughput +4.06 [+3.98, +4.14]
syslog_regex_logs2metric_ddmetrics ingress throughput +3.69 [+3.53, +3.85]
http_elasticsearch ingress throughput +2.64 [+2.47, +2.80]
fluent_elasticsearch ingress throughput +1.95 [+1.40, +2.50]
otlp_http_to_blackhole ingress throughput +1.79 [+1.67, +1.90]
datadog_agent_remap_blackhole ingress throughput +1.43 [+1.34, +1.52]
syslog_log2metric_tag_cardinality_limit_blackhole ingress throughput +1.29 [+1.21, +1.37]
splunk_hec_route_s3 ingress throughput +1.01 [+0.69, +1.33]
syslog_log2metric_humio_metrics ingress throughput +0.77 [+0.60, +0.95]
http_to_s3 ingress throughput +0.39 [+0.22, +0.56]
datadog_agent_remap_blackhole_acks ingress throughput +0.02 [-0.07, +0.11]
http_to_http_acks ingress throughput +0.01 [-0.48, +0.50]
splunk_hec_indexer_ack_blackhole ingress throughput +0.00 [-0.02, +0.02]
http_to_http_noack ingress throughput +0.00 [-0.06, +0.06]
splunk_hec_to_splunk_hec_logs_acks ingress throughput +0.00 [-0.03, +0.03]
splunk_hec_to_splunk_hec_logs_noack ingress throughput -0.00 [-0.02, +0.02]
http_to_http_json ingress throughput -0.01 [-0.06, +0.04]
syslog_humio_logs ingress throughput -0.62 [-0.71, -0.53]
syslog_log2metric_splunk_hec_metrics ingress throughput -0.63 [-0.73, -0.53]
syslog_loki ingress throughput -0.78 [-0.88, -0.68]
datadog_agent_remap_datadog_logs_acks ingress throughput -0.89 [-1.06, -0.73]
syslog_splunk_hec_logs ingress throughput -1.32 [-1.46, -1.19]
otlp_grpc_to_blackhole ingress throughput -1.80 [-2.00, -1.60]
file_to_blackhole egress throughput -3.09 [-7.24, +1.07]
datadog_agent_remap_datadog_logs ingress throughput -3.70 [-3.93, -3.47]

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

github-actions[bot] avatar Oct 21 '24 20:10 github-actions[bot]