Telegraf OPCUA input plugin configuration options using helm chart

I am using this telegraf helm chart:

It’s configured with a values.yaml file that defines the telegraf.conf (using yaml). Here is the config section of my values.yaml:

config:
  agent:
    interval: "10s"
    round_interval: true
    metric_batch_size: 1000
    metric_buffer_limit: 10000
    collection_jitter: "0s"
    flush_interval: "10s"
    flush_jitter: "0s"
    precision: ""
    debug: false
    quiet: false
    logfile: ""
    hostname: "$HOSTNAME"
    omit_hostname: false
  processors:
    - enum:
        mapping:
          field: "status"
          dest: "status_code"
          value_mappings:
            healthy: 1
            problem: 2
            critical: 3
  outputs:
    - influxdb:
        urls:
          - "http://endpoint:8429"
        database: "telegraf"
  inputs:
    - statsd:
        service_address: ":8125"
        percentiles:
          - 50
          - 95
          - 99
        metric_separator: "_"
        allowed_pending_messages: 10000
        percentile_limit: 1000
    - opcua:
        name: "opcua_simulator"
        endpoint: "opc.tcp://endpoint:46010"
        connect_timeout: "10s"
        request_timeout: "5s"
        security_policy: "None"
        security_mode: "None"
        auth_method: "Anonymous"
        nodes:
          - name: "ConcentrationNH3"
            namespace: "2"
            identifier_type: "s"
            identifier: "ConcentrationNH3"
          - name: "ConcentrationN2"
            namespace: "2"
            identifier_type: "s"
            identifier: "ConcentrationN2"
          - name: "ConcentrationH2"
            namespace: "2"
            identifier_type: "s"
            identifier: "ConcentrationH2"
          - name: "Pressure"
            namespace: "2"
            identifier_type: "s"
            identifier: "Pressure"

Specifically, look at the opcua plugin configuration:

    - opcua:
        name: "opcua_simulator"
        endpoint: "opc.tcp://endpoint:46010"
        connect_timeout: "10s"
        request_timeout: "5s"
        security_policy: "None"
        security_mode: "None"

When I try run telegraf with this configuration I get this error:

2024-10-09T02:52:08Z I! Loading config: /etc/telegraf/telegraf.conf
2024-10-09T02:52:08Z E! loading config file /etc/telegraf/telegraf.conf failed: plugin inputs.opcua: line 32: configuration specified the fields ["request_timeout" "security_mode" "security_policy"], but they were not used. This is either a typo or this config option does not exist in this version.

Which is odd because those field should definitely exist and I need to set them to None to get my setup working.

I removed those fields and as able to boot telegraf. Then I manually edited the telegraf.conf file to re-include those fields and rebooted the pod. That worked with no issue so I know the fields are valid.

My question is this: Why can I not set the fields [“request_timeout” “security_mode” “security_policy”] in the helm chart values.yaml, but I can set them manually in the telegraf.conf?

I am guessing this is some sort of templating issue, or some problem converting yaml to toml.

Can I sidestep the helm chart’s values file and directly mount in my config file as a configmap? Any other suggestions?

EDIT:
I also wanted to include the errors I see without the security_mode and security_policy values set:

2024-10-09T21:47:40Z W! [inputs.opcua] Failed to load certificate: open /etc/telegraf/cert.pem: no such file or directory
2024-10-09T21:47:40Z E! [inputs.opcua] Error in plugin: connect failed: error in Client Connection: opcua: invalid channel config: Security policy 'http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss' requires a private key
2024-10-09T21:47:50Z E! [inputs.opcua] Error in plugin: not connected, in state "Connecting"

This is why I need to be able to set those values.

By default the security policy is “auto” so it will use what the server requests. Seems in your case the server wants Aes256_Sha256_RsaPss
Try explicitly specifying the security_mode and security_policy!

Yes, I understand. I am trying to set those values via the helm chart values.yaml file but it is not working. I have to manually set them on the generated ConfigMap after deploying. My problem is with the helm chart conversion from values.yaml json to the config toml file.

A PR against the helm chart would be awesome!

I will happily submit a PR if I am able to figure out the solution.

1 Like

I have submitted a PR here: Ensure simple types are rendered before complex types (fixes #682) by jminardi · Pull Request #689 · influxdata/helm-charts · GitHub