Skip to content

Redact OTLP header and Datadog key configs in telemetry#11583

Draft
bm1549 wants to merge 1 commit into
masterfrom
brian.marks/omit-sensitive-config-telemetry
Draft

Redact OTLP header and Datadog key configs in telemetry#11583
bm1549 wants to merge 1 commit into
masterfrom
brian.marks/omit-sensitive-config-telemetry

Conversation

@bm1549
Copy link
Copy Markdown
Contributor

@bm1549 bm1549 commented Jun 6, 2026

What Does This Do

Renders the OTLP exporter header configurations and the Datadog API and application keys as <hidden> in configuration telemetry, and marks them sensitive: true in metadata/supported-configurations.json.

Motivation

These configurations should not be included in configuration telemetry.

Additional Notes

ConfigSettingTest was migrated from Groovy to JUnit 5 as part of adding coverage.

Contributor Checklist

Jira ticket: N/A

@bm1549 bm1549 added comp: telemetry Telemetry tag: ai generated Largely based on code generated by an AI or LLM type:chore labels Jun 6, 2026
@datadog-datadog-prod-us1

This comment has been minimized.

Sign in to view
@bm1549 @claude
Redact OTLP header and Datadog key configurations from configuration …
19f31ad 
…telemetry

Add the OTLP exporter header configurations and the Datadog API key and
application key configurations to the telemetry configuration filter
list so their values are reported as "<hidden>" in the configuration
telemetry:

- OTEL_EXPORTER_OTLP_HEADERS
- OTEL_EXPORTER_OTLP_TRACES_HEADERS
- OTEL_EXPORTER_OTLP_METRICS_HEADERS
- OTEL_EXPORTER_OTLP_LOGS_HEADERS
- DD_API_KEY
- DD_APPLICATION_KEY (and its DD_APP_KEY alias)

For each configuration, every form that can reach ConfigSetting is
covered: the dotted configuration names (otlp.traces.headers,
otlp.metrics.headers, otlp.logs.headers, application-key, app-key) and
the environment-variable names. Mark these configurations, DD_API_KEY,
and DD_APPLICATION_KEY with "sensitive: true" in
metadata/supported-configurations.json.

Migrate ConfigSettingTest to JUnit 5 and extend it to cover the OTLP
header and application key configurations, including an assertion that
the configured value is not present in the reported telemetry value.
Update ConfigCollectorTest so the application key collected through the
ConfigCollector pipeline is asserted to render as "<hidden>".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@bm1549 bm1549 force-pushed the brian.marks/omit-sensitive-config-telemetry branch from 6f11563 to 19f31ad Compare June 6, 2026 01:32
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented Jun 6, 2026

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 14.01 s 13.99 s [-0.6%; +0.9%] (no difference)
startup:insecure-bank:tracing:Agent 12.93 s 13.00 s [-1.8%; +0.8%] (no difference)
startup:petclinic:appsec:Agent 17.07 s 16.92 s [-0.1%; +1.9%] (no difference)
startup:petclinic:iast:Agent 17.07 s 17.20 s [-2.0%; +0.6%] (no difference)
startup:petclinic:profiling:Agent 17.14 s 16.92 s [+0.1%; +2.4%] (maybe worse)
startup:petclinic:tracing:Agent 16.28 s 16.51 s [-2.5%; -0.3%] (maybe better)

Commit: 19f31ada · CI Pipeline · Benchmarking Platform UI

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp: telemetry Telemetry tag: ai generated Largely based on code generated by an AI or LLM type:chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bm1549