Support for `username_file` configuration in prometheus http basic auth config

[wasim-nihal]

Proposal

Feature Request

Description:
Currently, a user has to explicitly type in the sensitive data in the configuration yaml. For example, in case of basic_auth, the user needs to configure the username and password. In our organization username is also considered as sensitive data and configuring it in this way is not acceptable.

In grafana, there is an option(called as File Provider) to provide a path to a file for an value using a placeholder like $__file{<path_to_file>}. At the runtime, the content of the file is read and substituted for the variable dynamically.

Advantages

1. In Kubernetes environment especially, the sensitive data can be made as secrets and mounted on the pod as files. And the placeholders in prometheus configuration can be dynamically updated with the contents of the respective files and then application is started.
2. Any field in the configuration yaml can be treated as sensitive data by the organizations. Gives them better flexibility.

Example Usage in configuration

- job_name: 'health_checks'
   scrape_interval: 4m
   scrape_timeout: 25s
   static_configs:
       - targets: ['organization.com']
   metrics_path: "/api/health"
   basic_auth:
     username: $__file{/etc/secret/username}
     password: $__file{/etc/secret/password}

Contribution

I am working on the changes for this feature and if you would allow, I would be happy to contribute this back to the Prometheus community.

[roidelapluie]

We already support reading passwords via file.

- job_name: 'health_checks'
   scrape_interval: 4m
   scrape_timeout: 25s
   static_configs:
       - targets: ['organization.com']
   metrics_path: "/api/health"
   basic_auth:
     username: username
     password_file: /etc/secret/password

[wasim-nihal]

Thanks for your response. This functionality is limited to passwords right? In some organizations, including mine, even username is treated as sensitive data and the value cannot be provided directly in the configuration yaml. So, with this feature, a user can create a Kubernetes secret for username and mount it to the pod and can further the configuration yaml placeholder($__file{username_secret_mount_file}) can be substituted with the content of the username secret.

With this, it will provide flexibility for the users/organizations on what fields they want to treat as sensitive data based on their requirements.

[roidelapluie]

I am open to adding a username_file if you think it's useful.

Please note that Prometheus is not just substituting a field with the content of a file. When a file is specified, we read it on every request, enabling rolling changes of passwords without configuration reloads.

[wasim-nihal]

yes, having username_file, similar to password_file would definitely be useful for some of the organizations like ours.
@roidelapluie , if this requirement (introduction of username_file) is okay, I would like to contribute here.

[wasim-nihal]

Hi @roidelapluie , please find the PR for having username_file configuration (file based basic auth username configuration).

• Adding support for file based configuration of basic auth username in http client config common#511
• Adding configuration documentation changes for username_file support for basic auth http client config #12749

[roypeter]

Hi @wasim-nihal, thank you for incorporating this feature; it has proven to be quite useful to us. Might you have an expected release date for it?

[beorn7]

Hello from the bug scrub!

This has been released as prometheus/common v0.45. Which made it into Prometheus with v2.49 via a dependency update. We missed documenting the change in the CHANGELOG, and more importantly did not update the config documentation. This only happened with v3. Sorry for that. But now it is definitely out there.