secure-credential.md

Secure credential

If you want hidden credentials (like host/user/password for elasticsearch) you can use this scheme.

Deploy CR Vector to Kubernetes where set credentials for Elastic in ENVs:

apiVersion: observability.kaasops.io/v1alpha1
kind: Vector
metadata:
  name: example
  namespace: vector
spec:
  agent:
    env:
    - name: ELASTIC_HOST
      value: {{HOST}}
    - name: ELASTIC_USER
      value: {{USER}}
    - name: ELASTIC_PASSWORD
      value: {{PASSWORD}}

Now you can use this ENVs in CR VectorPipeline, like:

apiVersion: observability.kaasops.io/v1alpha1
kind: VectorPipeline
metadata:
  name: example
  namespace: vector
spec:
  sources:
    example:
      extra_label_selector: app=example
      type: kubernetes_logs
  transforms:
    example-transform:
      inputs:
      - example
      source: |
        . = parse_json!(.message)

        .@timestamp = .time

        .cluster = "example"
      type: remap
  sinks:
    elastic:
      auth:
        password: ${ELASTIC_PASSWORD}
        strategy: basic
        user: ${ELASTIC_USER}
      bulk:
        index: example-%Y-%m-%d
      endpoint: ${ELASTIC_HOST}
      inputs:
      - example-transform
      tls:
        verify_certificate: false
      type: elasticsearch

With this scheme, if developers have access only to CR VectorPipeline, they can use credential from ENVs, but don't see them.