maint: Add warning about cli flags (#1293)

## Which problem is this PR solving? - Refinery has a couple CLI flags that, if used, could expose credetials. This PR adds warnings against such behavior. ## Short description of the changes - Update the `--help` output to warn against using some flags - Update config docs to warn against using the command line flag option for some configuration fields.
honeycombio · Aug 22, 2024 · c87cc15 · c87cc15
1 parent a3e9090
commit c87cc15
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 17 deletions.
diff --git a/config/cmdenv.go b/config/cmdenv.go
@@ -32,16 +32,16 @@ type CmdEnv struct {
 	PeerListenAddr        string     `long:"peer-listen-address" env:"REFINERY_PEER_LISTEN_ADDRESS" description:"Peer listen address for communication between Refinery instances"`
 	GRPCListenAddr        string     `long:"grpc-listen-address" env:"REFINERY_GRPC_LISTEN_ADDRESS" description:"gRPC listen address for OTLP traffic"`
 	RedisHost             string     `long:"redis-host" env:"REFINERY_REDIS_HOST" description:"Redis host address"`
-	RedisUsername         string     `long:"redis-username" env:"REFINERY_REDIS_USERNAME" description:"Redis username"`
-	RedisPassword         string     `long:"redis-password" env:"REFINERY_REDIS_PASSWORD" description:"Redis password"`
-	RedisAuthCode         string     `long:"redis-auth-code" env:"REFINERY_REDIS_AUTH_CODE" description:"Redis AUTH code"`
+	RedisUsername         string     `long:"redis-username" env:"REFINERY_REDIS_USERNAME" description:"Redis username. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
+	RedisPassword         string     `long:"redis-password" env:"REFINERY_REDIS_PASSWORD" description:"Redis password. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
+	RedisAuthCode         string     `long:"redis-auth-code" env:"REFINERY_REDIS_AUTH_CODE" description:"Redis AUTH code. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
 	HoneycombAPI          string     `long:"honeycomb-api" env:"REFINERY_HONEYCOMB_API" description:"Honeycomb API URL"`
-	HoneycombAPIKey       string     `long:"honeycomb-api-key" env:"REFINERY_HONEYCOMB_API_KEY" description:"Honeycomb API key (for logger and metrics)"`
-	HoneycombLoggerAPIKey string     `long:"logger-api-key" env:"REFINERY_HONEYCOMB_LOGGER_API_KEY" description:"Honeycomb logger API key"`
-	LegacyMetricsAPIKey   string     `long:"legacy-metrics-api-key" env:"REFINERY_HONEYCOMB_METRICS_API_KEY" description:"API key for legacy Honeycomb metrics"`
-	OTelMetricsAPIKey     string     `long:"otel-metrics-api-key" env:"REFINERY_OTEL_METRICS_API_KEY" description:"API key for OTel metrics if being sent to Honeycomb"`
-	OTelTracesAPIKey      string     `long:"otel-traces-api-key" env:"REFINERY_OTEL_TRACES_API_KEY" description:"API key for OTel traces if being sent to Honeycomb"`
-	QueryAuthToken        string     `long:"query-auth-token" env:"REFINERY_QUERY_AUTH_TOKEN" description:"Token for debug/management queries"`
+	HoneycombAPIKey       string     `long:"honeycomb-api-key" env:"REFINERY_HONEYCOMB_API_KEY" description:"Honeycomb API key (for logger and metrics). Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
+	HoneycombLoggerAPIKey string     `long:"logger-api-key" env:"REFINERY_HONEYCOMB_LOGGER_API_KEY" description:"Honeycomb logger API key. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
+	LegacyMetricsAPIKey   string     `long:"legacy-metrics-api-key" env:"REFINERY_HONEYCOMB_METRICS_API_KEY" description:"API key for legacy Honeycomb metrics. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
+	OTelMetricsAPIKey     string     `long:"otel-metrics-api-key" env:"REFINERY_OTEL_METRICS_API_KEY" description:"API key for OTel metrics if being sent to Honeycomb. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
+	OTelTracesAPIKey      string     `long:"otel-traces-api-key" env:"REFINERY_OTEL_TRACES_API_KEY" description:"API key for OTel traces if being sent to Honeycomb. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
+	QueryAuthToken        string     `long:"query-auth-token" env:"REFINERY_QUERY_AUTH_TOKEN" description:"Token for debug/management queries. Setting this value via a flag may expose credentials - it is recommended to use the env var or a configuration file."`
 	AvailableMemory       MemorySize `long:"available-memory" env:"REFINERY_AVAILABLE_MEMORY" description:"The maximum memory available for Refinery to use (ex: 4GiB)."`
 	Debug                 bool       `short:"d" long:"debug" description:"Runs debug service (on the first open port between localhost:6060 and :6069 by default)"`
 	Version               bool       `short:"v" long:"version" description:"Print version number and exit"`

diff --git a/config/metadata/configMeta.yaml b/config/metadata/configMeta.yaml
@@ -419,7 +419,7 @@ groups:
         reload: false
         envvar: REFINERY_QUERY_AUTH_TOKEN
         commandline: query-auth-token
-        summary: is the token that must be specified to access the `/query` endpoint.
+        summary: is the token that must be specified to access the `/query` endpoint. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           This token must be specified with the header
           "X-Honeycomb-Refinery-Query" in order for a `/query` request to
@@ -530,7 +530,7 @@ groups:
         validations:
           - type: format
             arg: apikey
-        summary: is the API key used to send Refinery's logs to Honeycomb.
+        summary: is the API key used to send Refinery's logs to Honeycomb. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           It is recommended that you create a separate team and key for
           Refinery logs.
@@ -686,7 +686,7 @@ groups:
             arg: apikey
         envvar: REFINERY_HONEYCOMB_METRICS_API_KEY, HONEYCOMB_API_KEY
         commandline: legacy-metrics-api-key
-        summary: is the API key used by Refinery to send its metrics to Honeycomb.
+        summary: is the API key used by Refinery to send its metrics to Honeycomb. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           It is recommended that you create a separate team and key for
           Refinery metrics.
@@ -757,7 +757,7 @@ groups:
         envvar: REFINERY_OTEL_METRICS_API_KEY, HONEYCOMB_API_KEY
         commandline: otel-metrics-api-key
         firstversion: v2.0
-        summary: is the API key used to send Honeycomb metrics via OpenTelemetry.
+        summary: is the API key used to send Honeycomb metrics via OpenTelemetry. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           It is recommended that you create a separate team and key for
           Refinery metrics.
@@ -839,7 +839,7 @@ groups:
         validations:
           - type: format
             arg: apikey
-        summary: is the API key used to send Refinery's traces to Honeycomb.
+        summary: is the API key used to send Refinery's traces to Honeycomb. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           It is recommended that you create a separate team and key for
           Refinery telemetry.
@@ -996,7 +996,7 @@ groups:
         reload: false
         envvar: REFINERY_REDIS_USERNAME
         commandline: redis-username
-        summary: is the username used to connect to Redis for peer cluster membership management.
+        summary: is the username used to connect to Redis for peer cluster membership management. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           Many Redis installations do not use this field.
 
@@ -1009,7 +1009,7 @@ groups:
         reload: false
         envvar: REFINERY_REDIS_PASSWORD
         commandline: redis-password
-        summary: is the password used to connect to Redis for peer cluster membership management.
+        summary: is the password used to connect to Redis for peer cluster membership management. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           Many Redis installations do not use this field.
 
@@ -1023,7 +1023,7 @@ groups:
         firstversion: v2.2
         envvar: REFINERY_REDIS_AUTH_CODE
         commandline: redis-auth-code
-        summary: is the string used to connect to Redis for peer cluster membership management using an explicit AUTH command.
+        summary: is the string used to connect to Redis for peer cluster membership management using an explicit AUTH command. Setting this value via a command line flag may expose credentials - it is recommended to use the env var or a configuration file.
         description: >
           Many Redis installations do not use this field.