在Prometheus yaml文件中加密秘密字符串
我在此Prometheus yaml文件中使用了OAuth2.0,并且不想直接在文件中曝光client_secret。有人知道如何使用客户端秘密(client_secret_file)加密另一个文件,以便普罗米修斯可以解密并使用它?
global:
scrape_interval: 15s
evaluation_interval: 15s
alerting:
alertmanagers:
- static_configs:
- targets: []
rule_files: []
scrape_configs:
- job_name: "prometheus"
metrics_path: "/actuator/prometheus"
static_configs:
- targets: ["localhost:8080"]
oauth2:
client_id: ""
client_secret_file: ""
scopes: []
token_url: ""
I am using OAuth2.0 in this Prometheus YAML file, and don't want to expose the client_secret directly in the file. Does anybody know how to encrypt another file with the client secret (client_secret_file) so that Prometheus can decrypt and use it?
global:
scrape_interval: 15s
evaluation_interval: 15s
alerting:
alertmanagers:
- static_configs:
- targets: []
rule_files: []
scrape_configs:
- job_name: "prometheus"
metrics_path: "/actuator/prometheus"
static_configs:
- targets: ["localhost:8080"]
oauth2:
client_id: ""
client_secret_file: ""
scopes: []
token_url: ""
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
iiuc,解决方案是使用
client_secret_file而不是client_secret。client_secret直接在Prometheus config中包含秘密,而client_secret_file是对秘密的文件引用,不会向文件的查看者披露秘密,文件应应不被检查到EG源控件中。据我所知,没有办法加密Prometheus配置的任意部分。
IIUC, the solution is to use
client_secret_fileinstead ofclient_secret.While
client_secretincludes the secret directly in the Prometheus config,client_secret_fileis a file reference to the secret, doesn't disclose the secret to a viewer of the file and the file should not be checked into e.g. source control.To my knowledge, there's no way to encrypt arbitrary sections of the Prometheus config.