Secret key syntax and use

Zenoss Collector deployments include a Hashicorp Vault for storing sensitive information securely. You are not required to use it.

To use the vault, substitute the following syntax for the value portion of configuration fields that require sensitive information:

<FIELD_NAME>: _ZDM_SEC_<COLLECTOR_NAME>[.<DEVICE_ID>].<FIELD_NAME>

The portion after _ZDM_SEC_ is the secret key. A DEVICE_ID value is only needed in the datasource configuration file.

For example, for collector collector1, the apiKey field in the agent configuration file would be as follows:

apiKey: _ZDM_SEC_collector1.apiKey

Likewise, to set the zWBEMPassword field in the datasource configuration file to use the vault for device my-ecm.example.com, the field would be as follows:

zWBEMPassword: _ZDM_SEC_collector1.my-ecm-example.com.zWBEMPassword

Then, you collect all the secret keys in a secrets file and provide values. The file supports both shell and JSON encoding:

ShellJSON

collector1.apiKey=<AUTHENTICATION_KEY>
collector1.my-ecm-example.com.zWBEMPassword=<WBEM_PASSWORD>

{
  "collector1.apiKey": "<AUTHENTICATION_KEY>",
  "collector1.my-ecm-example.com.zWBEMPassword": "<WBEM_PASSWORD>"
}

Finally, you upload all the secrets to the vault and delete the secrets file. You can update a secret at any time.

To not use the vault, just supply a value for a field:

<FIELD_NAME>: <FIELD_VALUE>