Is there a way to pass encrypted credentials to ocprometheus from cli

aristanetworks / goarista

Fairly general building blocks used in Arista Go code and open-sourced for the benefit of all.

Apache License 2.0

206 stars 66 forks source link

Is there a way to pass encrypted credentials to ocprometheus from cli #80

Closed arunasbernatavicius closed 5 months ago

arunasbernatavicius commented 5 months ago

Hi, I am testing ocprometheus on Arista. We want to configure everything from CLI using daemons. This is how the config looks like currently in our lab: daemon ocprometheus exec /sbin/ip netns exec ns-MGMT /mnt/flash/ocprometheus -config /mnt/flash/ocprometheus.yml -addr localhost:6030 -username arista -password arista no shutdown

However - what I don't like is having username and password in clear text in the run config. Is there any way to either pass this credentials in encrypted manner?

aaronbee commented 5 months ago

You can configure mTLS authentication by using the trust config in the ssl profile used by management api gnmi. See https://www.arista.com/en/um-eos/eos-control-plane-security#concept_y2p_5dc_5mb Then you would configure ocprometheus with the -cafile, -certfile, and -keyfile config.

arunasbernatavicius commented 5 months ago

Thanks a lot aaronbee!