Conversation
There was a problem hiding this comment.
This is good! Super minimal change surface.
I'd actually iterate over this PR and make this ready to be merged once common change is merged. We could double check all tests etc. 💪🏽
There are definitely some tests to fix, but it might be as trivial as adding (f *Field) Equals(other Field) bool so comparisons work correctly (they don't depend on state):
discovery/kubernetes/kubernetes.go
Outdated
| NamespaceDiscovery NamespaceDiscovery `yaml:"namespaces,omitempty"` | ||
| Selectors []SelectorConfig `yaml:"selectors,omitempty"` | ||
| AttachMetadata AttachMetadataConfig `yaml:"attach_metadata,omitempty"` | ||
| ExampleSecret secrets.Field `yaml:"example_secret"` |
There was a problem hiding this comment.
Nice, easy use 👍🏽
Let's remove and iterate over this PR to be effectively testable and potentially mergable once common change is done, looks promising!
There was a problem hiding this comment.
Although your other examples use *secrets.Field (pointer)?
There was a problem hiding this comment.
Switched to not using pointers as the default way, and added a nil provider to represent when the user passes in nothing
|
For release log, keep in mind this is for user facing changes (e.g. user of Prometheus YAML). I would mention what user can expect (generic field and removal of ref). I'd recommend: |
|
Exciting feature! We even plan to mention it on KubeCon EU in March if that's ok (: cc @hsmatulis Hopefully it's done until then 💪🏽 |
90d17c1 to
09ab0ec
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds secrets management functionality to Prometheus, allowing users to specify secrets from different providers (inline and file) instead of only inline secrets. The implementation includes a secrets manager component that runs as part of the main Prometheus process and populates configuration with resolved secrets during config loading and reloading.
Key Changes
- Added secrets manager integration that runs alongside other Prometheus components
- Modified the configuration reload mechanism to populate secrets from configured providers
- Replaced prometheus/common dependency with a personal fork containing secrets management implementation
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| go.mod | Adds module replacement directing prometheus/common to personal fork with secrets management |
| go.sum | Updates dependency checksums for the replaced module and adds new indirect dependencies |
| cmd/prometheus/main.go | Integrates secrets manager lifecycle, adds context management, and modifies reload logic to populate secrets |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
go.mod
Outdated
| google.golang.org/api v0.30.0 | ||
| ) | ||
|
|
||
| replace github.com/prometheus/common => github.com/hsmatulis/prom-common v0.0.8 |
There was a problem hiding this comment.
The replace directive redirects the first-party module github.com/prometheus/common to a personal fork github.com/hsmatulis/prom-common v0.0.8, introducing a supply-chain risk because all imports of github.com/prometheus/common now execute code from an external, individually controlled repository. If that fork or its release process is compromised, an attacker could inject malicious logic into Prometheus, potentially exfiltrating secrets or altering security-critical behavior without changes in this repository. To reduce this risk, depend on the official github.com/prometheus/common module (or an internal fork under the Prometheus organization or vendored code) rather than a third-party fork as a drop-in replacement for core infrastructure code.
d77faac to
57e14f8
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 16 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
e5e361e to
72cf435
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5bf50e3 to
f2279c4
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 19 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Henrique Matulis <hmatulis@google.com>
f2279c4 to
a95868d
Compare
| c.EC2SDConfig.AccessKey = c.AccessKey | ||
| } | ||
| if c.SecretKey != "" { | ||
| if !c.SecretKey.IsNil() { |
There was a problem hiding this comment.
| if !c.SecretKey.IsNil() { | |
| if !c.SecretKey.IsEmpty() { |
or
| if !c.SecretKey.IsNil() { | |
| if c.SecretKey.IsSet) { |
| IdentityEndpoint: s.Mock.Endpoint(), | ||
| ApplicationCredentialSecret: secrets.MockInline(""), |
There was a problem hiding this comment.
I'd vote to allow empty value and IsEmpty() on nil returning true and Value() returning empty string. Because we will likely forget to set it somewhere and then it's a bit annoying to have that extra verbose thing.
secrets: Add remote secrets providers
See the proposal here. This PR is currently a work in progress, demonstrating how user's would interact with the secrets management API
Which issue(s) does the PR fix:
Does this PR introduce a user-facing change?