Add secret provider interface under feature flag #13955
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #8551
Partially fixes: prometheus/alertmanager#3108
Group Discussion: https://groups.google.com/g/prometheus-developers/c/WKOej_pnhXg
Initial Design Doc: https://docs.google.com/document/d/1EqHd2EwQxf9SYD8-gl3sgkwaU6A10GhiN7aw-2kx7NU/edit
Description
Interface
This PR adds a
Provider
interface, which is registered similarly to service discovery interfaces. There is a respectiveRegisterProvider
which can let us register a provider within aninit
method.Implementers implement
Apply(configs []Config[yaml.Node]) ([]Secret, error)
. A sample config looks like this:Your scrape config would look as follows:
Providers output a
Secret
which is just afunc(ctx context.Context, node *yaml.Node) -> (string, error)
. This allows secrets to be fetched on-demand, or cached. Up to the implementer.Usage
Before using this functionality, users must enable the "secret-providers" feature flag.
Default Providers
This PR only adds two default providers out of the box:
inline
andfile
, which allows users to configure their existing secrets with the new configuration, e.g. for BasicAuth replacepassword
andpassword_file
respectively.Or:
Maintainability
Test coverage here is ≥90 to ensure no breaking changes.
One note is that I've provided both
yaml.v2
andyaml.v3
versions of theConfigs
object.Pull Requests