Encrypt sensitive information

Signed-off-by: chengdehao <[email protected]>

apis/fluentd/v1alpha1/plugins/common/common_types.go

@@ -69,8 +69,8 @@ type Security struct {
 
 // User defines the common parameters for the user plugin
 type User struct {
-	Username *string `json:"username,omitempty"`
-	Password *string `json:"password,omitempty"`
+	Username *plugins.Secret `json:"username,omitempty"`
+	Password *plugins.Secret `json:"password,omitempty"`
 }
 
 // Transport defines the commont parameters for the transport plugin
@@ -116,9 +116,9 @@ type Auth struct {
 	// +kubebuilder:validation:Enum:basic
 	Method *string `json:"auth,omitempty"`
 	// The username for basic authentication.
-	Username *string `json:"username,omitempty"`
+	Username *plugins.Secret `json:"username,omitempty"`
 	// The password for basic authentication.
-	Password *string `json:"password,omitempty"`
+	Password *plugins.Secret `json:"password,omitempty"`
 }
 
 // Server defines the common parameters for the server plugin
@@ -134,9 +134,9 @@ type Server struct {
 	// SharedKey defines the shared key per server.
 	SharedKey *string `json:"sharedKey,omitempty"`
 	// Username defines the username for authentication.
-	Username *string `json:"username,omitempty"`
+	Username *plugins.Secret `json:"username,omitempty"`
 	// Password defines the password for authentication.
-	Password *string `json:"password,omitempty"`
+	Password *plugins.Secret `json:"password,omitempty"`
 	// Standby marks a node as the standby node for an Active-Standby model between Fluentd nodes.
 	Standby *string `json:"standby,omitempty"`
 	// Weight defines the load balancing weight
@@ -263,21 +263,49 @@ func (u *User) Name() string {
 	return "user"
 }
 
-func (u *User) Params(_ plugins.SecretLoader) (*params.PluginStore, error) {
+func (u *User) Params(loader plugins.SecretLoader) (*params.PluginStore, error) {
 	ps := params.NewPluginStore(u.Name())
-	ps.InsertPairs("username", fmt.Sprint(*u.Username))
-	ps.InsertPairs("password", fmt.Sprint(*u.Password))
+	if u.Username != nil {
+		user, err := loader.LoadSecret(*u.Username)
+		if err != nil {
+			return nil, err
+		}
+		ps.InsertPairs("username", user)
+	}
+
+	if u.Password != nil {
+		pwd, err := loader.LoadSecret(*u.Username)
+		if err != nil {
+			return nil, err
+		}
+		ps.InsertPairs("password", pwd)
+	}
+
 	return ps, nil
 }
 
 func (a *Auth) Name() string {
 	return "auth"
 }
 
-func (a *Auth) Params(_ plugins.SecretLoader) (*params.PluginStore, error) {
+func (a *Auth) Params(loader plugins.SecretLoader) (*params.PluginStore, error) {
 	ps := params.NewPluginStore(a.Name())
-	ps.InsertPairs("username", fmt.Sprint(*a.Username))
-	ps.InsertPairs("password", fmt.Sprint(*a.Password))
+	if a.Username != nil {
+		user, err := loader.LoadSecret(*a.Username)
+		if err != nil {
+			return nil, err
+		}
+		ps.InsertPairs("username", user)
+	}
+
+	if a.Password != nil {
+		pwd, err := loader.LoadSecret(*a.Password)
+		if err != nil {
+			return nil, err
+		}
+		ps.InsertPairs("password", pwd)
+	}
+
 	if a.Method != nil {
 		ps.InsertPairs("method", fmt.Sprint(*a.Method))
 	}
@@ -358,7 +386,7 @@ func (s *Server) Name() string {
 	return "server"
 }
 
-func (s *Server) Params(_ plugins.SecretLoader) (*params.PluginStore, error) {
+func (s *Server) Params(loader plugins.SecretLoader) (*params.PluginStore, error) {
 	ps := params.NewPluginStore(s.Name())
 
 	if s.Id != nil {
@@ -384,10 +412,20 @@ func (s *Server) Params(_ plugins.SecretLoader) (*params.PluginStore, error) {
 		ps.InsertPairs("shared_key", fmt.Sprint(*s.SharedKey))
 	}
 	if s.Username != nil {
-		ps.InsertPairs("username", fmt.Sprint(*s.Username))
+		user, err := loader.LoadSecret(*s.Username)
+		if err != nil {
+			return nil, err
+		}
+
+		ps.InsertPairs("username", user)
 	}
 	if s.Password != nil {
-		ps.InsertPairs("password", fmt.Sprint(*s.Password))
+		pwd, err := loader.LoadSecret(*s.Password)
+		if err != nil {
+			return nil, err
+		}
+
+		ps.InsertPairs("password", pwd)
 	}
 	if s.Standby != nil {
 		ps.InsertPairs("standby", fmt.Sprint(*s.Host))

apis/fluentd/v1alpha1/plugins/output/es.go

@@ -1,5 +1,7 @@
 package output
 
+import "fluent.io/fluent-operator/apis/fluentd/v1alpha1/plugins"
+
 // Elasticsearch defines the parameters for out_es output plugin
 type Elasticsearch struct {
 	// The hostname of your Elasticsearch node (default: localhost).
@@ -10,10 +12,6 @@ type Elasticsearch struct {
 	Port *uint32 `json:"port,omitempty"`
 	// Hosts defines a list of hosts if you want to connect to more than one Elasticsearch nodes
 	Hosts *string `json:"hosts,omitempty"`
-	// The login credentials to connect to the Elasticsearch node
-	User *string `json:"user,omitempty"`
-	// The login credentials to connect to the Elasticsearch node
-	Password *string `json:"password,omitempty"`
 	// Specify https if your Elasticsearch endpoint supports SSL (default: http).
 	Scheme *string `json:"scheme,omitempty"`
 	// Path defines the REST API endpoint of Elasticsearch to post write requests (default: nil).
@@ -24,4 +22,8 @@ type Elasticsearch struct {
 	LogstashFormat *bool `json:"logstashFormat,omitempty"`
 	// LogstashPrefix defines the logstash prefix index name to write events when logstash_format is true (default: logstash).
 	LogstashPrefix *string `json:"logstashPrefix,omitempty"`
+	// Optional, The login credentials to connect to the Elasticsearch node (default: nil)
+	User *plugins.Secret `json:"user,omitempty"`
+	// Optional, The login credentials to connect to the Elasticsearch node (default: nil)
+	Password *plugins.Secret `json:"password,omitempty"`
 }

apis/fluentd/v1alpha1/plugins/output/types.go

@@ -117,7 +117,7 @@ func (o *Output) Params(loader plugins.SecretLoader) (*params.PluginStore, error
 
 	if o.Elasticsearch != nil {
 		ps.InsertType(string(params.ElasticsearchOutputType))
-		return o.elasticsearchPlugin(ps, loader), nil
+		return o.elasticsearchPlugin(ps, loader)
 	}
 
 	if o.S3 != nil {
@@ -339,7 +339,7 @@ func (o *Output) httpPlugin(parent *params.PluginStore, loader plugins.SecretLoa
 	return parent
 }
 
-func (o *Output) elasticsearchPlugin(parent *params.PluginStore, loader plugins.SecretLoader) *params.PluginStore {
+func (o *Output) elasticsearchPlugin(parent *params.PluginStore, loader plugins.SecretLoader) (*params.PluginStore, error) {
 	if o.Elasticsearch.Host != nil {
 		parent.InsertPairs("host", fmt.Sprint(*o.Elasticsearch.Host))
 	}
@@ -353,11 +353,19 @@ func (o *Output) elasticsearchPlugin(parent *params.PluginStore, loader plugins.
 	}
 
 	if o.Elasticsearch.User != nil {
-		parent.InsertPairs("user", fmt.Sprint(*o.Elasticsearch.User))
+		user, err := loader.LoadSecret(*o.Elasticsearch.User)
+		if err != nil {
+			return nil, err
+		}
+		parent.InsertPairs("user", user)
 	}
 
 	if o.Elasticsearch.Password != nil {
-		parent.InsertPairs("password", fmt.Sprint(*o.Elasticsearch.Password))
+		pwd, err := loader.LoadSecret(*o.Elasticsearch.User)
+		if err != nil {
+			return nil, err
+		}
+		parent.InsertPairs("password", pwd)
 	}
 
 	if o.Elasticsearch.Scheme != nil {
@@ -380,7 +388,7 @@ func (o *Output) elasticsearchPlugin(parent *params.PluginStore, loader plugins.
 		parent.InsertPairs("logstash_prefix", fmt.Sprint(*o.Elasticsearch.LogstashPrefix))
 	}
 
-	return parent
+	return parent, nil
 }
 
 func (o *Output) kafka2Plugin(parent *params.PluginStore, loader plugins.SecretLoader) *params.PluginStore {

apis/fluentd/v1alpha1/tests/expected/duplicate-removal-cr-specs.cfg

@@ -112,8 +112,6 @@
     open_timeout  2
     <auth>
       method  basic
-      password  password
-      username  username
     </auth>
     <buffer buffertag.*>
       @id  common_buffer
@@ -207,8 +205,6 @@
     open_timeout  2
     <auth>
       method  basic
-      password  password
-      username  username
     </auth>
     <buffer buffertag.*>
       @id  common_buffer

apis/fluentd/v1alpha1/tests/tools.go

@@ -315,13 +315,9 @@ var (
 	}
 
 	authMethod = "basic"
-	username   = "username"
-	password   = "password"
 
 	auth = common.Auth{
-		Method:   &authMethod,
-		Username: &username,
-		Password: &password,
+		Method: &authMethod,
 	}
 
 	endpoint           = "http://logserver.com:9000/api"