Add secret provider interface under feature flag

Signed-off-by: Daniel Hrabovcak <thespiritxiii@gmail.com>

cmd/prometheus/main.go

@@ -43,6 +43,7 @@ import (
 	"github.com/oklog/run"
 	"github.com/prometheus/client_golang/prometheus"
 	versioncollector "github.com/prometheus/client_golang/prometheus/collectors/version"
+	common_config "github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
 	"github.com/prometheus/common/promlog"
 	promlogflag "github.com/prometheus/common/promlog/flag"
@@ -68,6 +69,7 @@ import (
 	"github.com/prometheus/prometheus/promql/parser"
 	"github.com/prometheus/prometheus/rules"
 	"github.com/prometheus/prometheus/scrape"
+	"github.com/prometheus/prometheus/secrets"
 	"github.com/prometheus/prometheus/storage"
 	"github.com/prometheus/prometheus/storage/remote"
 	"github.com/prometheus/prometheus/tracing"
@@ -160,6 +162,7 @@ type flagConfig struct {
 	enableAutoGOMAXPROCS       bool
 	enableAutoGOMEMLIMIT       bool
 	enableConcurrentRuleEval   bool
+	enableSecretProviders      bool
 
 	prometheusURL   string
 	corsRegexString string
@@ -227,6 +230,9 @@ func (c *flagConfig) setFeatureListOptions(logger log.Logger) error {
 				config.DefaultConfig.GlobalConfig.ScrapeProtocols = config.DefaultProtoFirstScrapeProtocols
 				config.DefaultGlobalConfig.ScrapeProtocols = config.DefaultProtoFirstScrapeProtocols
 				level.Info(logger).Log("msg", "Experimental created timestamp zero ingestion enabled. Changed default scrape_protocols to prefer PrometheusProto format.", "global.scrape_protocols", fmt.Sprintf("%v", config.DefaultGlobalConfig.ScrapeProtocols))
+			case "secret-providers":
+				c.enableSecretProviders = true
+				level.Info(logger).Log("msg", "Experimental secret providers enabled")
 			case "":
 				continue
 			case "promql-at-modifier", "promql-negative-offset":
@@ -635,6 +641,8 @@ func main() {
 		ctxWeb, cancelWeb = context.WithCancel(context.Background())
 		ctxRule           = context.Background()
 
+		ctxSecrets = context.Background()
+
 		notifierManager = notifier.NewManager(&cfg.notifier, log.With(logger, "component", "notifier"))
 
 		ctxScrape, cancelScrape = context.WithCancel(context.Background())
@@ -698,6 +706,20 @@ func main() {
 		}
 	}
 
+	var secretManager *secrets.Manager
+	if cfg.enableSecretProviders {
+		manager := secrets.NewManager(
+			ctxSecrets,
+			secrets.ProviderOptions{
+				Logger: log.With(logger, "component", "secret manager"),
+			},
+			prometheus.DefaultRegisterer,
+		)
+		secretManager = &manager
+	}
+
+	cfg.scrape.HTTPClientOptions = append(cfg.scrape.HTTPClientOptions, common_config.WithSecretManager(secretManager))
+
 	scrapeManager, err := scrape.NewManager(
 		&cfg.scrape,
 		log.With(logger, "component", "scrape manager"),
@@ -871,6 +893,17 @@ func main() {
 				}
 				return discoveryManagerScrape.ApplyConfig(c)
 			},
+		}, {
+			name: "secret",
+			reloader: func(cfg *config.Config) error {
+				if secretManager == nil {
+					if cfg.SecretProviders != nil && len(*cfg.SecretProviders) > 0 {
+						return errors.New("secret providers are disabled")
+					}
+					return nil
+				}
+				return secretManager.ApplyConfig(*cfg.SecretProviders)
+			},
 		}, {
 			name:     "notify",
 			reloader: notifierManager.ApplyConfig,

config/config.go

@@ -35,6 +35,7 @@ import (
 	"github.com/prometheus/prometheus/discovery"
 	"github.com/prometheus/prometheus/model/labels"
 	"github.com/prometheus/prometheus/model/relabel"
+	"github.com/prometheus/prometheus/secrets"
 	"github.com/prometheus/prometheus/storage/remote/azuread"
 )
 
@@ -223,13 +224,14 @@ var (
 
 // Config is the top-level configuration for Prometheus's config files.
 type Config struct {
-	GlobalConfig      GlobalConfig    `yaml:"global"`
-	AlertingConfig    AlertingConfig  `yaml:"alerting,omitempty"`
-	RuleFiles         []string        `yaml:"rule_files,omitempty"`
-	ScrapeConfigFiles []string        `yaml:"scrape_config_files,omitempty"`
-	ScrapeConfigs     []*ScrapeConfig `yaml:"scrape_configs,omitempty"`
-	StorageConfig     StorageConfig   `yaml:"storage,omitempty"`
-	TracingConfig     TracingConfig   `yaml:"tracing,omitempty"`
+	GlobalConfig      GlobalConfig     `yaml:"global"`
+	AlertingConfig    AlertingConfig   `yaml:"alerting,omitempty"`
+	RuleFiles         []string         `yaml:"rule_files,omitempty"`
+	ScrapeConfigFiles []string         `yaml:"scrape_config_files,omitempty"`
+	ScrapeConfigs     []*ScrapeConfig  `yaml:"scrape_configs,omitempty"`
+	StorageConfig     StorageConfig    `yaml:"storage,omitempty"`
+	TracingConfig     TracingConfig    `yaml:"tracing,omitempty"`
+	SecretProviders   *secrets.Configs `yaml:"secrets,omitempty"`
 
 	RemoteWriteConfigs []*RemoteWriteConfig `yaml:"remote_write,omitempty"`
 	RemoteReadConfigs  []*RemoteReadConfig  `yaml:"remote_read,omitempty"`

config/config_test.go

@@ -1998,6 +1998,10 @@ var expectedErrors = []struct {
 		filename: "scrape_config_files_scrape_protocols2.bad.yml",
 		errMsg:   `parsing YAML file testdata/scrape_config_files_scrape_protocols2.bad.yml: duplicated protocol in scrape_protocols, got [OpenMetricsText1.0.0 PrometheusProto OpenMetricsText1.0.0] for scrape config with job name "node"`,
 	},
+	{
+		filename: "secret_provider.bad.missing_provider_config.yml",
+		errMsg:   "expected secret provider but found none",
+	},
 }
 
 func TestBadConfigs(t *testing.T) {

config/testdata/secret_provider.bad.missing_provider_config.yml

@@ -0,0 +1,2 @@
+secrets:
+  - name: abc

go.mod

@@ -202,6 +202,7 @@ require (
 )
 
 replace (
+	github.com/prometheus/common => github.com/TheSpiritXIII/prometheus-common v0.50.0-gmp.0
 	k8s.io/klog => github.com/simonpasquier/klog-gokit v0.3.0
 	k8s.io/klog/v2 => github.com/simonpasquier/klog-gokit/v3 v3.3.0
 )