Skip to content

Instantly share code, notes, and snippets.

@shantanoo-desai

shantanoo-desai/README.md

Last active March 14, 2023 11:33
Show Gist options
  • Save shantanoo-desai/7ed17c3ea439812ea0113789e3013965 to your computer and use it in GitHub Desktop.
Save shantanoo-desai/7ed17c3ea439812ea0113789e3013965 to your computer and use it in GitHub Desktop.
Download ZIP
trial with secretstore plugin JOSE from Telegraf
Raw
README.md

Trials with Secretstores JOSE in Telegraf using Docker

generate secret

docker run -u 1000  \
          -v $(pwd)/telegraf.toml:/etc/telegraf/telegraf.conf:ro \
          -v $(pwd):/etc/telegraf \
          telegraf:latest telegraf secrets set jose_test opcua_password testpassword

This should create a directory secrets/ on the host with file opcua_password

get secret

docker run -u 1000  \
          -v $(pwd)/telegraf.toml:/etc/telegraf/telegraf.conf:ro \
          -v $(pwd):/etc/telegraf \
          telegraf:latest telegraf secrets get jose_test opcua_password

output should be:

2023/03/14 11:10:11 I! Using config file: /etc/telegraf/telegraf.conf
jose_test:opcua_password = testpassword

Execution

docker run -u 1000 \
           -e OPCUA_PASSWORD=testpassword \
           -v $(pwd)/telegraf.toml:/etc/telegraf/telegraf.conf:ro \
           -v $(pwd):/etc/telegraf \
           telegraf:latest telegraf

Problem

  • The password does not get resolved for the secretstore.jose plugin in the inputs.opcua plugin with name ftFabrik
  • The same inputs.opcua plugin does connect to the opcua server when the password is served via environment variable
Raw
output-telegraf.logs
2023-03-14T11:29:20Z E! [inputs.opcua] Error in plugin: error in Client Connection: User does not have permission to perform the requested operation. StatusBadUserAccessDenied (0x801F0000)
2023-03-14T11:29:20Z D! [inputs.opcua] Connected to OPC UA Server
2023-03-14T11:29:28Z D! [outputs.file] Wrote batch of 1 metrics in 293.906µs
2023-03-14T11:29:28Z D! [outputs.file] Buffer fullness: 0 / 10000 metrics
{"fields":{"Quality":"OK (0x0)","test":true},"name":"ftFabrik2","tags":{"id":"ns=2;s=IX_SSC_LightBarrierOutsource_I4"},"timestamp":1678785961}
Raw
telegraf.toml
[agent]
interval = "20s"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 10000
collection_jitter = "0s"
flush_interval = "10s"
flush_jitter = "0s"
precision = ""
debug = true
quiet = false
hostname = ""
omit_hostname = true
#############################################################
# OUTPUT PLUGINS #
#############################################################
[[secretstores.jose]]
id = "jose_test"
path = "/etc/telegraf/secrets"
password = "tester" # dummy skeleton password for jose
[[outputs.file]]
data_format = "json"
[[inputs.opcua]]
## Metric name
name = "ftFabrik"
#
## OPC UA Endpoint URL
endpoint = "opc.tcp://192.168.4.201:4840"
#
## Maximum time allowed to establish a connect to the endpoint.
connect_timeout = "60s"
#
## Maximum time allowed for a request over the established connection.
request_timeout = "60s"
#
## Security policy, one of "None", "Basic128Rsa15", "Basic256",
## "Basic256Sha256", or "auto"
security_policy = "None"
#
## Security mode, one of "None", "Sign", "SignAndEncrypt", or "auto"
security_mode = "None"
#
## Path to cert.pem. Required when security mode or policy isn't "None".
## If cert path is not supplied, self-signed cert and key will be generated.
# certificate = "/etc/telegraf/cert.pem"
#
## Path to private key.pem. Required when security mode or policy isn't "None".
## If key path is not supplied, self-signed cert and key will be generated.
# private_key = "/etc/telegraf/key.pem"
#
## Authentication Method, one of "Certificate", "UserName", or "Anonymous". To
## authenticate using a specific ID, select 'Certificate' or 'UserName'
auth_method = "UserName"
#
## Username. Required for auth_method = "UserName"
username = "OpcUser"
#
## Password. Required for auth_method = "UserName"
password = "@{jose_test:opcua_password}"
#
## Option to select the metric timestamp to use. Valid options are:
## "gather" -- uses the time of receiving the data in telegraf
## "server" -- uses the timestamp provided by the server
## "source" -- uses the timestamp provided by the source
timestamp = "source"
#
## Node ID configuration
## name - field name to use in the output
## namespace - OPC UA namespace of the node (integer value 0 thru 3)
## identifier_type - OPC UA ID type (s=string, i=numeric, g=guid, b=opaque)
## identifier - OPC UA ID (tag as shown in opcua browser)
## tags - extra tags to be added to the output metric (optional); deprecated in 1.25.0; use default_tags
## default_tags - extra tags to be added to the output metric (optional)
##
## Use either the inline notation or the bracketed notation, not both.
#
## Inline notation (default_tags not supported yet)
nodes = [ {name="test", namespace="2", identifier_type="s", identifier="IX_SSC_LightBarrierOutsource_I4"} ]
data_format = "json"
## SAME PLUGIN BUT TAKES PASSWORD VIA ENV VAR TO SEE IF THIS ONE SHOULD WORK!
[[inputs.opcua]]
## Metric name
name = "ftFabrik2" # This is what distinguishes it from the same plugin above
#
## OPC UA Endpoint URL
endpoint = "opc.tcp://192.168.4.201:4840"
#
## Maximum time allowed to establish a connect to the endpoint.
connect_timeout = "60s"
#
## Maximum time allowed for a request over the established connection.
request_timeout = "60s"
#
## Security policy, one of "None", "Basic128Rsa15", "Basic256",
## "Basic256Sha256", or "auto"
security_policy = "None"
#
## Security mode, one of "None", "Sign", "SignAndEncrypt", or "auto"
security_mode = "None"
#
## Path to cert.pem. Required when security mode or policy isn't "None".
## If cert path is not supplied, self-signed cert and key will be generated.
# certificate = "/etc/telegraf/cert.pem"
#
## Path to private key.pem. Required when security mode or policy isn't "None".
## If key path is not supplied, self-signed cert and key will be generated.
# private_key = "/etc/telegraf/key.pem"
#
## Authentication Method, one of "Certificate", "UserName", or "Anonymous". To
## authenticate using a specific ID, select 'Certificate' or 'UserName'
auth_method = "UserName"
#
## Username. Required for auth_method = "UserName"
username = "OpcUser"
#
## Password. Required for auth_method = "UserName"
password = "${OPCUA_PASSWORD}"
#
## Option to select the metric timestamp to use. Valid options are:
## "gather" -- uses the time of receiving the data in telegraf
## "server" -- uses the timestamp provided by the server
## "source" -- uses the timestamp provided by the source
timestamp = "source"
#
## Node ID configuration
## name - field name to use in the output
## namespace - OPC UA namespace of the node (integer value 0 thru 3)
## identifier_type - OPC UA ID type (s=string, i=numeric, g=guid, b=opaque)
## identifier - OPC UA ID (tag as shown in opcua browser)
## tags - extra tags to be added to the output metric (optional); deprecated in 1.25.0; use default_tags
## default_tags - extra tags to be added to the output metric (optional)
##
## Use either the inline notation or the bracketed notation, not both.
#
## Inline notation (default_tags not supported yet)
nodes = [ {name="test", namespace="2", identifier_type="s", identifier="IX_SSC_LightBarrierOutsource_I4"} ]
data_format = "json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment