Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add secrets management#17648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
hsmatulis wants to merge1 commit intoprometheus:main
base:main
Choose a base branch
Loading
fromhsmatulis:hsmatulis-secrets

Conversation

@hsmatulis
Copy link

secrets: Add remote secrets providers

See the proposal here. This PR is currently a work in progress, demonstrating how user's would interact with the secrets management API

Which issue(s) does the PR fix:

Does this PR introduce a user-facing change?

[FEATURE] This introduces the "secret providers" core library for Prometheus, which will later enable fetching secrets from external systems. The config format will allow specifying a provider and its parameters to any `<secret>` fields.

Copy link
Member

@bwplotkabwplotka left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This is good! Super minimal change surface.

I'd actually iterate over this PR and make this ready to be merged once common change is merged. We could double check all tests etc. 💪🏽

There are definitely some tests to fix, but it might be as trivial as adding(f *Field) Equals(other Field) bool so comparisons work correctly (they don't depend on state):

Image

},
func(error) {
logger.Info("Stopping scrape discovery manager...")
cancelScrape()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It probably needs its own context.

Comment on lines +657 to +661
var (
secretsManager*secrets.Manager
)
// needs logger: logger.With("component", "secrets manager")
secretsManager,err=secrets.NewManager(context.Background(),prometheus.DefaultRegisterer,secrets.Providers,cfgFile)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
var (
secretsManager*secrets.Manager
)
// needs logger: logger.With("component", "secrets manager")
secretsManager,err=secrets.NewManager(context.Background(),prometheus.DefaultRegisterer,secrets.Providers,cfgFile)
// TODO: Pass logger.With("component", "secrets manager")
secretsManager,err:=secrets.NewManager(context.Background(),prometheus.DefaultRegisterer,secrets.Providers,cfgFile)

select {
case<-hup:
iferr:=reloadConfig(cfg.configFile,cfg.tsdb.EnableExemplarStorage,logger,noStepSubqueryInterval,callback,reloaders...);err!=nil {
iferr:=reloadConfig(cfg.configFile,cfg.tsdb.EnableExemplarStorage,logger,noStepSubqueryInterval,secretsManager,callback,reloaders...);err!=nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We could probably DRY this g.Add with something like

// before loopreload = func()error {   return reloadConfig(cfg.configFile, cfg.tsdb.EnableExemplarStorage, logger, noStepSubqueryInterval, callback, reloaders...),}// ...if err := reload(); err != nil {

}
}

iferr:=secretsManager.HydrateConfig(nil,conf);err!=nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Maybe we could work on this name. Reminds me to grab a cup of water though! (:

Image

Maybe:

Suggested change
iferr:=secretsManager.HydrateConfig(nil,conf);err!=nil {
iferr:=secretsManager.ReloadConfig(context.TODO(),conf);err!=nil {

NamespaceDiscoveryNamespaceDiscovery`yaml:"namespaces,omitempty"`
Selectors []SelectorConfig`yaml:"selectors,omitempty"`
AttachMetadataAttachMetadataConfig`yaml:"attach_metadata,omitempty"`
ExampleSecret secrets.Field`yaml:"example_secret"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nice, easy use 👍🏽

Let's remove and iterate over this PR to be effectively testable and potentially mergable once common change is done, looks promising!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Although your other examples use*secrets.Field (pointer)?

@bwplotka
Copy link
Member

For release log, keep in mind this is for user facing changes (e.g. user of Prometheus YAML). I would mention what user can expect (generic field and removal of ref).

I'd recommend:

[FEATURE] config: All secret fields e.g. `scrape[].basic_auth.password` supports now "generic" format.  This means users are able to specify in `password` either inlined secret as previously or one from certain provider. Currently only `inline` and `file` providers are supported, with more to come. Old `password_field`-like fields are still supported although discouraged. This change also removes the undocumented `password_ref`-like fields which were unused. See [documentation](TODO) and [PROM-47](https://github.com/prometheus/proposals/blob/main/proposals/0047-secret_providers.md) for details.

@bwplotka
Copy link
Member

Exciting feature! We even plan to mention it on KubeCon EU in March if that's ok (: cc@hsmatulis

Hopefully it's done until then 💪🏽

@bwplotka
Copy link
Member

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@bwplotkabwplotkabwplotka left review comments

@branczbranczAwaiting requested review from branczbrancz will be requested when the pull request is marked ready for reviewbrancz is a code owner

Copilot code reviewCopilotAwaiting requested review from CopilotCopilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Generally enable reading secrets from files How to encrypt basic_auth password/password_file in prometheus.yml file?

2 participants

@hsmatulis@bwplotka
[8]ページ先頭
©2009-2025 Movatter.jp