receivercreator logs the entire config including passwords in clear text

[alexgenon]

Component(s)

receiver/receivercreator

What happened?

Description

When starting a new receiver, the receiver creator logs the config used, including the password in clear text.
See observerhandler.go#L201.
Note: the postgresql receiver uses a configopaque.String (see config.go#L33).

Steps to Reproduce

In Kubernetes, deploy a collector configured as follow

• using the k8sobserver to "observe" the creation of new pods
• using the receiver creator to create  postgresql receiver. Configure the password in the template (using a secret e.g.).

Deploy a new PostgreSQL cluster to be discovered by the receivercreator

Check the collector's logs, the password appears in clear text

This is how we discovered this issue, but there are certainly easier ways of reproducing it.

Expected Result

Password, private keys, ... are redacted.

Actual Result

password is shown in clear text.

Collector version

0.119.0

Environment information

Environment

Kubernetes
Zalando's PostgreSQL operator

OpenTelemetry Collector configuration

extensions:
  k8s_observer:
    auth_type: serviceAccount
    observe_pods: true

receivers:
  jaeger: null
  prometheus: null
  zipkin: null
  otlp: null

  receiver_creator:
    watch_observers: [k8s_observer]
    receivers:
      postgresql:
        rule: type == "pod" && annotations['o11y_type'] == "postgresql"
        config:
          endpoint: '`endpoint`:5432'
          username: ${PG_USERNAME}
          password: ${PG_PWD}
          metrics:
            postgresql.database.locks:
              enabled: true
            postgresql.deadlocks:
              enabled: true
            postgresql.sequential_scans:
              enabled: true
            postgresql.temp_files:
              enabled: true
            postgresql.wal.delay:
              enabled: true


service:
  extensions:
    - k8s_observer
    - health_check
  pipelines:
    metrics:
      receivers:
        - receiver_creator
      exporters:
        - debug

    logs: null
    traces: null

Log output

{
    "level": "info",
    "ts": "2025-02-24T16:15:03.664Z",
    "caller": "receivercreator@v0.119.0/observerhandler.go:201",
    "msg": "starting receiver",
    "kind": "receiver",
    "name": "receiver_creator",
    "data_type": "metrics",
    "name": "postgresql",
    "endpoint": "<redacted>",
    "endpoint_id": "k8s_observer/<redacted>",
    "config": {
        "endpoint": "`endpoint`:5432",
        "metrics": {
            "postgresql.database.locks": {
                "enabled": true
            },
            "postgresql.deadlocks": {
                "enabled": true
            },
            "postgresql.sequential_scans": {
                "enabled": true
            },
            "postgresql.temp_files": {
                "enabled": true
            },
            "postgresql.wal.delay": {
                "enabled": true
            }
        },
        "password": "<here, there's a real password>",
        "username": "<here, there's a real username>"
    }
}

Additional context

No response

[github-actions]

Pinging code owners:

• receiver/receivercreator: @dmitryax

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[atoulme]

Thanks for this report. We will look into it.

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

• receiver/receivercreator: @dmitryax

See Adding Labels via Comments if you do not have permissions to add labels yourself.