TelemetryFlow Deployment

Production-Ready Infrastructure & Deployment Standards for the
TelemetryFlow Observability Platform

Do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, please report them to:

security@telemetryflow.id

We aim to respond within 72 hours and will keep you updated throughout the remediation process. Please include:

• A description of the vulnerability.
• Steps to reproduce (if applicable).
• Affected versions and deployment method (Ansible / Helm / Operator).
• Any suggested mitigations.

We ask that you:

• Do not publicly disclose the issue before a fix is released.
• Allow a reasonable timeframe for remediation before disclosure.
• Make a good-faith effort to avoid privacy destruction and data loss.

• Never commit secrets, credentials, API keys, or tokens to this repository.
• Use .env files (already .gitignored) for local development.
• In production, use a dedicated secrets manager:
  • Kubernetes: Sealed Secrets, External Secrets Operator, or Vault.
  • VM: HashiCorp Vault, AWS Secrets Manager, or GCP Secret Manager.
• Generate strong, unique secrets with make secrets-generate.
• Rotate secrets regularly and after any personnel change.

• Enable TLS for all inter-service communication.
• Use network policies to restrict pod-to-pod traffic in Kubernetes.
• Place the OTel Collector behind an authenticated ingress.
• Do not expose datastore ports (PostgreSQL, ClickHouse, Redis, NATS) to the public internet.

• Use minimal base images (distroless / Chainguard).
• Run containers as non-root users.
• Pin image digests instead of floating tags in production.
• Scan images for CVEs before deployment (Trivy, Grype).

• Follow the principle of least privilege for all service accounts.
• Use Kubernetes RBAC to restrict operator and controller permissions.
• Require signed commits on protected branches.
• Enable audit logging on all critical endpoints.

• All secrets are stored in a secrets manager (not in files, env vars, or ConfigMaps).
• TLS is enabled on every external and inter-service endpoint.
• Network policies are applied to all namespaces.
• Containers run as non-root with read-only root filesystems.
• Image digests are pinned (no floating tags).
• Pod security standards are enforced (baseline or restricted).
• RBAC is configured with least-privilege service accounts.
• Database credentials are rotated and not shared across environments.
• Audit logging is enabled and logs are shipped to a secure destination.
• Backups are configured and tested for PostgreSQL and ClickHouse.
• The .env file is not present on any production host.
• All default passwords have been replaced with strong, generated values.

For non-security questions, open a GitHub Issue. For security concerns, email security@telemetryflow.id.