fluent-bit icon indicating copy to clipboard operation
fluent-bit copied to clipboard
verified publisher icon fluent

Add the ability to provide the OpenSearch password through a file

Open nilushancosta opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe. In the fluentbit OpenSearch output plugin, we can add the password to connect to OpenSearch as follows

[OUTPUT]
    Name opensearch
    HTTP_Passwd samplePassword

One of the ways to add a password here is to pass the password as an environment variable to the fluent-bit pod and then refer it in the configuration as follows

[OUTPUT]
    Name opensearch
    HTTP_Passwd ${OPENSEARCH_PASSWORD}

Checkov recommends that it is better to use secrets as files instead of environment variables.

Describe the solution you'd like Add the capability to the OpenSearch output plugin to read the password from a file

Describe alternatives you've considered

Additional context FluentBit is deployed on Kubernetes through Helm

nilushancosta avatar Aug 18 '23 08:08 nilushancosta

Hello @nilushancosta

Have you tried to create a secret and mount it as an env variable?

Here you will find https://github.com/fluent/fluent-bit/issues/7011#issuecomment-1472880366 a working example of using an env variable in the fluent-bit conf:

The example is independent of the output plugin, as this is a Kubernetes feature it should also work for storing the OpenSearch password.

From the Link provided:

I created a secret with the Splunk token, and then I used the secret key as an env variable for my pod by modifying Fluent-

Bit daemonset. To create a secret: create secret generic test-token-secret --from-literal=SPLUNK_HEC_TOKEN="FB-SplunkSecretToken123!" *To add the token value from the secret to my daemonset as a container env variable:

  containers:
  - env:
    - name: SPLUNK_HEC_TOKEN
      valueFrom:
        secretKeyRef:
          key: SPLUNK_HEC_TOKEN
          name: test-token-secret

This is my OUTPUT section in the configmap: [OUTPUT] Name splunk Match * Host splunk-master Splunk_Token ${SPLUNK_HEC_TOKEN} Port 8088 Splunk_Send_Raw off TLS on TLS.Verify off Retry_Limit 3 workers 8 storage.total_limit_size 3G http_buffer_size 2M

 Please let me know if this works for you. 
 
 Regards

RicardoAAD avatar Nov 20 '23 23:11 RicardoAAD

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.

github-actions[bot] avatar Feb 21 '24 01:02 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Feb 27 '24 01:02 github-actions[bot]