Generally enable reading secrets from files

[beorn7]

For a bunch of secrets in the config file, we already allow to alternatively read it from a file, e.g. if there is a password field, there is also a password_file field. Only one of those may be used.

However, we do not offer this behavior consistently. Occasionally, we get feature requests to allow it for particular fields. This issue proposes to just consistently offer the feature for all secrets in general (exceptions might be possible or even required in particular cases, but those would then be exceptions and not just the normal case).

See also this discussion.

Note that the semantics generally is to read the secret from the file for each new request (so that password rotation works seamlessly). Exceptions need to be documented clearly (but ideally, we would avoid those entirely). Cf. a previous issue about this: #6140

Also note that for consistency with the already quite frequent existing usage, we won't go for a new YAML construct like

secret:
  type: file
  file: "/etc/my-secrets/..."

This could be considered for a future release, though.

[beorn7]

@mem wants to work on this, at least on a few secrets, so assigning to him.

[mem]

For Prometheus common

These are part of TLSConfig:

• CAFile, from github.com/prometheus/common/config/http_config.go
• CertFile, from github.com/prometheus/common/config/http_config.go
• KeyFile, from github.com/prometheus/common/config/http_config.go

This is part of HTTPClientConfig:

• BearerTokenFile, from github.com/prometheus/common/config/http_config.go, this is already handled in the desired way, as there's another entry BearerToken

This is part of BasicAuth:

• PasswordFile, from github.com/prometheus/common/config/http_config.go, this is already handled in the desired way with the entry Password.

For Prometheus

This is part of SDConfig

• AuthTokenFile, already handled in the desired way with AuthToken.

For exporter-toolkit

This is part of TLSStruct

• TLSCertPath
• TLSKeyPath
• ClientCAs

[roidelapluie]

 CAFile, from github.com/prometheus/common/config/http_config.go
 CertFile, from github.com/prometheus/common/config/http_config.go
 KeyFile, from github.com/prometheus/common/config/http_config.go

Are already files

 TLSCertPath
 TLSKeyPath
 ClientCAs

Are already files

[roidelapluie]

I think the main goal here is to be able to read secrets from external files, not to load certificates from primary file.

[mem]

The agreement in the linked discussion is to make this consistent, so those options which only offer the possibility of reading a file should have the inline form added.

I was actually looking for the options where the user can only specify inline secrets, and I haven't found any, but I have only looked at the mentioned packages.

[roidelapluie]

here are the secrets I think we can't read from files:

• azure sd's client secret
• consul token
• aws secret key
• openstack password
• openstak application_credential_secret

[mem]

ah, thanks!

[mem]

Prometheus

• Azure SD's client secret
• Consul SD's token
• Consul SD's password
• EC2 SD's secret key
• Marathon SD's auth token
• OpenStack SD's password
• OpenStack SD's application credential secret