Currently, we have credentials_endpoint in this output plugin. This supports use cases for custom credential vending.
For a dataplane agent that runs on hosts like Fluent Bit, I wonder if any custom credential vending service should always listen on a link local or private IP or localhost IP. It seems insecure and never wise to reach out to a public IP or hostname for credentials.
We could add validation to reject the config if the endpoint is not local/private. This would hurt users who have their custom credential server reachable through a private DNS hostname, which seems like a valid and reasonable use case.
Currently, we have
credentials_endpointin this output plugin. This supports use cases for custom credential vending.For a dataplane agent that runs on hosts like Fluent Bit, I wonder if any custom credential vending service should always listen on a link local or private IP or localhost IP. It seems insecure and never wise to reach out to a public IP or hostname for credentials.
We could add validation to reject the config if the endpoint is not local/private. This would hurt users who have their custom credential server reachable through a private DNS hostname, which seems like a valid and reasonable use case.