Redact OTLP header and Datadog key configs in telemetry#11583
Open
bm1549 wants to merge 6 commits into
Open
Conversation
bm1549
added
comp: telemetry
This comment has been minimized.
This comment has been minimized.
bm1549
force-pushed
the
brian.marks/omit-sensitive-config-telemetry
branch
from
6f11563 to
19f31ad
Compare
Contributor
🟢 Java Benchmark SLOs — All performance SLOs passed
PR vs. master results
Commit: Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion. |
bm1549
force-pushed
the
brian.marks/omit-sensitive-config-telemetry
branch
from
19f31ad to
9639e05
Compare
…telemetry Add the OTLP exporter header configurations and the Datadog API key and application key configurations to the telemetry configuration filter list so their values are reported as "<hidden>" in the configuration telemetry: - OTEL_EXPORTER_OTLP_HEADERS - OTEL_EXPORTER_OTLP_TRACES_HEADERS - OTEL_EXPORTER_OTLP_METRICS_HEADERS - OTEL_EXPORTER_OTLP_LOGS_HEADERS - DD_API_KEY - DD_APPLICATION_KEY (and its DD_APP_KEY alias) For each configuration, every form that can reach ConfigSetting is covered: the dotted configuration names (otlp.traces.headers, otlp.metrics.headers, otlp.logs.headers, application-key, app-key) and the environment-variable names. Mark these configurations, DD_API_KEY, and DD_APPLICATION_KEY with "sensitive: true" in metadata/supported-configurations.json. Migrate ConfigSettingTest to JUnit 5 and extend it to cover the OTLP header and application key configurations, including an assertion that the configured value is not present in the reported telemetry value. Update ConfigCollectorTest so the application key collected through the ConfigCollector pipeline is asserted to render as "<hidden>". Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
bm1549
force-pushed
the
brian.marks/omit-sensitive-config-telemetry
branch
from
9639e05 to
2c36e1a
Compare
…acted Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…to JUnit, redact api-key/profiling collect-path forms, tighten drift guard Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…onfigs Collect the profiling api key under its property name (single DD_ telemetry name), reduce CONFIG_FILTER_LIST to the property-name forms values are actually collected under, and map OTEL headers to their OTLP collected form in the drift guard. Also mark and redact the remaining collected credential configs: the profiling and crash-tracking proxy passwords and the RUM client token. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… in Groovy Remove redaction of the deprecated profiling.api-key/profiling.apikey fallback env vars (and the getEnvCollectedAs helper they needed). Only redact non-null values, so an unset sensitive config still reports null rather than <hidden>. Revert ConfigCollectorTest from JUnit back to its original Groovy form with minimal redaction edits, and trim the ConfigSettingTest table to a few representative cases. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bm1549
commented
Jun 12, 2026
| // entries in metadata/supported-configurations.json. | ||
| private static final Set<String> CONFIG_FILTER_LIST = | ||
| new HashSet<>( | ||
| Arrays.asList("DD_API_KEY", "dd.api-key", "dd.profiling.api-key", "dd.profiling.apikey")); |
Contributor
Author
There was a problem hiding this comment.
I was able to prove that the only format that occurs here is dd.api-key and not DD_API_KEY. Cleaning this up
bm1549
commented
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What Does This Do
Renders sensitive configuration values (the OTLP exporter headers, the Datadog API and application keys, the profiling and crash-tracking proxy passwords, and the RUM client token) as
<hidden>in configuration telemetry, and marks themsensitive: trueinmetadata/supported-configurations.json. Redaction matches the configuration property name each value is collected under, and only applies to values that are actually set.Motivation
These configurations should not be included in configuration telemetry.
Additional Notes
A drift-guard test keeps the redaction list in sync with the
sensitive: trueentries in the registry.Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueJira ticket: N/A