Secret key syntax and use
Zenoss Collector deployments include a Hashicorp Vault for storing sensitive information securely. You are not required to use it.
To use the vault, substitute the following syntax for the value portion of configuration fields that require sensitive information:
<FIELD_NAME>: _ZDM_SEC_<COLLECTOR_NAME>[.<DEVICE_ID>].<FIELD_NAME>
The portion after _ZDM_SEC_
is the secret key. A DEVICE_ID value is
only needed in the datasource configuration file.
For example, for collector collector1
, the apiKey
field in the
agent configuration file would be as follows:
apiKey: _ZDM_SEC_collector1.apiKey
Likewise, to set the zWBEMPassword
field in the datasource configuration
file to use the vault for device my-ecm.example.com
, the
field would be as follows:
zWBEMPassword: _ZDM_SEC_collector1.my-ecm-example.com.zWBEMPassword
Then, you collect all the secret keys in a secrets file and provide values. The file supports both shell and JSON encoding:
collector1.apiKey=<AUTHENTICATION_KEY>
collector1.my-ecm-example.com.zWBEMPassword=<WBEM_PASSWORD>
{
"collector1.apiKey": "<AUTHENTICATION_KEY>",
"collector1.my-ecm-example.com.zWBEMPassword": "<WBEM_PASSWORD>"
}
Finally, you upload all the secrets to the vault and delete the secrets file. You can update a secret at any time.
To not use the vault, just supply a value for a field:
<FIELD_NAME>: <FIELD_VALUE>