Hide sensitive data from the config files

(Tony Boston) #1

Hi,

I am looking for a way to put all sensitive data in like one file, lets call it secrets.conf, and only refer to it in the actual service config. Sensitive data may include db passwords, any other passwords or snmp data. Is this somehow implemented in icinga2 already? I didn’t find any thing in the docs.
I thought about using macros but I read that this will have an impact on performance.
Any hints are really appreciated.

Cheers
Tony

(Aflatto) #2

would something like the namespaces be useful to you ?https://icinga.com/docs/icinga2/latest/doc/17-language-reference/#namespaces

(Tony Boston) #3

Not sure - I was about to create Constants for every Password, what do you think about that?

(Aflatto) #4

I am not sure you want the passwords to be propagated to every environment you have, that is why the namespaces exist, so you can use the values in individual zones and environments.
The constants are just that - constants across all zones and environments and hence less secure for passwords.

(Tony Boston) #5

I do get your point. The only reason we do this is that we’re using git for all config files and we do not want any credentials in the repo. So right now, we’re git-ignoring the “secrets.conf” file where we would define the Constants.

Can you give an example on how a namespace would look like for passwords?

(Tony Boston) #6

Just for reference. I am using Constants now.
I added a secrets.conf where I put all the Passwords into constants which I’ll use in the service/host config.