From b3f68b16f731e977a2853dc77e469c6d50252f68 Mon Sep 17 00:00:00 2001 From: Stran Dutton Date: Wed, 1 Jul 2026 12:44:16 -0500 Subject: [PATCH] fix: move non-sensitive data out of secrets.toml --- deployments/helm/openhound/README.md | 4 ++-- deployments/helm/values.example.yaml | 3 ++- .../bloodhound-enterprise/.dlt-example/config.toml | 4 ++++ .../bloodhound-enterprise/.dlt-example/secrets_github.toml | 1 - .../bloodhound-enterprise/.dlt-example/secrets_jamf.toml | 1 - .../bloodhound-enterprise/.dlt-example/secrets_okta.toml | 1 - .../bloodhound-enterprise/docker-compose.yml | 2 +- .../destinations/bloodhound_enterprise/destination.py | 2 +- 8 files changed, 10 insertions(+), 8 deletions(-) diff --git a/deployments/helm/openhound/README.md b/deployments/helm/openhound/README.md index a62a8d4..cf01b0d 100644 --- a/deployments/helm/openhound/README.md +++ b/deployments/helm/openhound/README.md @@ -46,11 +46,11 @@ collector: name: jamf extraSecretMounts: { } -# The BHE destination config. This is typically stored inside the same secrets.toml referenced by config.existingSecret, but non-sensitive values can be provided here for convenience. +# The BHE destination url is non-sensitive config; set it here, via environment variable, or in config.toml. +# Sensitive credentials (token_id and token_key) belong in secrets.toml referenced by config.existingSecret. destination: bloodhoundEnterprise: url: https://test.bloodhoundenterprise.io - interval: "300" ``` diff --git a/deployments/helm/values.example.yaml b/deployments/helm/values.example.yaml index 271922d..d454ac7 100644 --- a/deployments/helm/values.example.yaml +++ b/deployments/helm/values.example.yaml @@ -21,7 +21,8 @@ collector: name: jamf extraSecretMounts: { } -# The BHE destination config. This is typically stored inside the same secrets.toml referenced by config.existingSecret, but non-sensitive values can be provided here for convenience. +# The BHE destination url is non-sensitive config; set it here, via environment variable, or in config.toml. +# Sensitive credentials (token_id and token_key) belong in secrets.toml referenced by config.existingSecret. destination: bloodhoundEnterprise: url: https://test.bloodhoundenterprise.io diff --git a/example-configurations/bloodhound-enterprise/.dlt-example/config.toml b/example-configurations/bloodhound-enterprise/.dlt-example/config.toml index 31e03b2..8da76f8 100644 --- a/example-configurations/bloodhound-enterprise/.dlt-example/config.toml +++ b/example-configurations/bloodhound-enterprise/.dlt-example/config.toml @@ -14,6 +14,10 @@ request_max_retry_delay = 900 # To switch to structured JSON instead, uncomment the line below (must be uppercase "JSON") # log_format = "JSON" +# BHE destination URL (non-sensitive; tokens go in secrets.toml) +[destination.bloodhoundenterprise] +url = "bhe_url" + [extract] workers = 8 diff --git a/example-configurations/bloodhound-enterprise/.dlt-example/secrets_github.toml b/example-configurations/bloodhound-enterprise/.dlt-example/secrets_github.toml index 77c7b6f..b02780c 100644 --- a/example-configurations/bloodhound-enterprise/.dlt-example/secrets_github.toml +++ b/example-configurations/bloodhound-enterprise/.dlt-example/secrets_github.toml @@ -1,7 +1,6 @@ [destination.bloodhoundenterprise] token_id = "client_token_id" token_key = "client_token_key" -url = "bhe_url" # Example configuration for github secrets: https://bloodhound.specterops.io/openhound/collectors/github/collect-data#example-configuration [sources.source.github.credentials] diff --git a/example-configurations/bloodhound-enterprise/.dlt-example/secrets_jamf.toml b/example-configurations/bloodhound-enterprise/.dlt-example/secrets_jamf.toml index d65f0b8..635b179 100644 --- a/example-configurations/bloodhound-enterprise/.dlt-example/secrets_jamf.toml +++ b/example-configurations/bloodhound-enterprise/.dlt-example/secrets_jamf.toml @@ -1,7 +1,6 @@ [destination.bloodhoundenterprise] token_id = "client_token_id" token_key = "client_token_key" -url = "bhe_url" # Example configuration for jamf secrets: https://bloodhound.specterops.io/openhound/collectors/jamf/collect-data#example-configuration [sources.source.jamf.credentials] diff --git a/example-configurations/bloodhound-enterprise/.dlt-example/secrets_okta.toml b/example-configurations/bloodhound-enterprise/.dlt-example/secrets_okta.toml index cdae32b..9caf08a 100644 --- a/example-configurations/bloodhound-enterprise/.dlt-example/secrets_okta.toml +++ b/example-configurations/bloodhound-enterprise/.dlt-example/secrets_okta.toml @@ -1,7 +1,6 @@ [destination.bloodhoundenterprise] token_id = "client_token_id" token_key = "client_token_key" -url = "bhe_url" # Example configuration for okta secrets: https://bloodhound.specterops.io/openhound/collectors/okta/collect-data#example-configuration [sources.source.okta.credentials] diff --git a/example-configurations/bloodhound-enterprise/docker-compose.yml b/example-configurations/bloodhound-enterprise/docker-compose.yml index ea0febb..657ccef 100644 --- a/example-configurations/bloodhound-enterprise/docker-compose.yml +++ b/example-configurations/bloodhound-enterprise/docker-compose.yml @@ -50,7 +50,7 @@ services: secrets: # Copy the .dlt-example folder to ${HOME}/.dlt as a starting point for each secrets file. - # Each secrets file must also contain [destination.bloodhoundenterprise] with url, token_id, and token_key. + # Each secrets file must contain [destination.bloodhoundenterprise] with token_id and token_key. # Jamf: username + password auth secrets_jamf: diff --git a/src/openhound/destinations/bloodhound_enterprise/destination.py b/src/openhound/destinations/bloodhound_enterprise/destination.py index f32fb34..725f4d7 100644 --- a/src/openhound/destinations/bloodhound_enterprise/destination.py +++ b/src/openhound/destinations/bloodhound_enterprise/destination.py @@ -16,7 +16,7 @@ def ingest( items: TDataItems, table: TTableSchema, - url: str = dlt.secrets.value, + url: str = dlt.config.value, token_id: str = dlt.secrets.value, token_key: str = dlt.secrets.value, source_kind: str = dlt.config.value,