Dash "-" not supporter in secret_key

luk-ada commented 1 year ago

A note for the community

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

Hello

I have a test secret "ling-dev-elk-0". Vector is skipping secret resolution due to the dash in the name: No secret placeholder found, skipping secret resolution.

_"SECRET[azsecret.ling-dev-elk-0]" - not working

I created second secret lingdevelk0 and it's working as expected.

_"SECRET[azsecret.lingdevelk0]" - working

I did not find any info about the dashes support, only about the multiple dots: https://github.com/vectordotdev/vector/blob/master/rfcs/2022-02-24-11552-dd-agent-style-secret-management.md

Configuration

secret:
  az_secret:
    type: exec
    command:
      - "/etc/vector/secret.sh"
      - "-v"
      - "la-kv-02012023"
      - "-s"
      - "ling-dev-elk-0"
sources:
  file:
    type: file
    include:
      - /etc/vector/1.log
    read_from: beginning
transforms:
  add_field_from_secret:
    inputs: ["file"]
    type: remap
    source: |-
      .secret = "SECRET[az_secret.ling-dev-elk-0]"
sinks:
  console:
    type: console
    inputs:
      - add_field_from_secret
    target: stdout
    encoding:
      codec: json

Version

vector 0.26.0 (x86_64-unknown-linux-gnu c6b5bc2 2022-12-05)

Debug Output

2023-01-02T14:59:33.605386Z  INFO vector::app: Internal log rate limit configured. internal_log_rate_secs=10
2023-01-02T14:59:33.606507Z  INFO vector::app: Log level is enabled. level="vector=trace,codec=trace,vrl=trace,file_source=trace,tower_limit=trace,rdkafka=trace,buffers=trace,lapin=trace,kube=trace"
2023-01-02T14:59:33.606647Z  INFO vector::app: Loading configs. paths=["vector.yaml"]
2023-01-02T14:59:33.607383Z DEBUG vector::config::loading: No secret placeholder found, skipping secret resolution.
2023-01-02T14:59:33.608237Z DEBUG vector::topology::builder: Building new source. component=file
...

Example Data

No response

Additional Context

No response

References

No response

jszwedko commented 1 year ago

Thanks for this report @mulat666 . The secret names are limited to the same set of characters as environment variable names (alphanumeric and _s). I don't see why we couldn't expand this set for secrets though.

spencergilbert commented 1 year ago

Perhaps, for internal consistency, the name should be treated as a VRL path expression - which would require - to be quoted.

However with the given example...

    source: |-
      .secret = "SECRET[az_secret.ling-dev-elk-0]"

Escaping quotes may be awkward?

vectordotdev / vector