Add URL-based `secret-source` to support `k6 cloud` secrets and OSS use cases

[vortegatorres]

Feature Description

k6 currently supports secrets through various secret sources (e.g., cli, files), but lacks a flexible HTTP/URL-based secret source that can fetch secrets from generic HTTP endpoints. This capability is needed for two primary reasons:

1. k6-cloud integration: The k6 Cloud platform needs to support a secrets feature that allows users to securely fetch secrets at runtime from the Grafana Secrets Manager service. The synthetic monitoring team has developed an extension for similar purposes, but it cannot be reused in this context due to architectural constraints and different requirements.
2. OSS User Value: By implementing this as a built-in secret source rather than requiring custom tweaks or workarounds, we provide immediate value to open-source users who want to integrate k6 with their existing REST APIs that provide secrets without needing to build custom extensions.

Suggested Solution (optional)

Implement a built-in url secret source that fetches secrets from HTTP endpoints with the following capabilities.

Core Features:

• URL Template Pattern: Support {key} placeholder in URLs (e.g., https://api.example.com/secrets/{key})
• Configurable HTTP Method: Support GET, POST, etc.
• Custom Headers: Allow Authorization and other headers for authentication
• JSON Path Extraction: Extract secret values from nested JSON responses using dot notation (e.g., data.value)
• Rate Limiting: Built-in rate limiting (default 300 req/min with burst of 10) to prevent overwhelming secret APIs
• Configurable Timeouts: Allow users to set appropriate timeout values

Configuration Format (JSON file):

  {
    "urlTemplate": "https://api.example.com/secrets/{key}/decrypt",
    "method": "GET",
    "headers": {
      "Authorization": "Bearer YOUR_API_TOKEN"
    },
    "responsePath": "value",
    "requestsPerMinuteLimit": 300,
    "requestsBurst": 10,
    "timeoutSeconds": 30
  }

Usage Example:

k6 run --secrets url=config=/path/to/url-config.json script.js

Implementation Details:

• Location: internal/secretsource/url/ package
• Register as a secret source extension using existing secretsource.RegisterExtension API
• Use standard net/http client with timeout and context support
• Implement rate limiting with golang.org/x/time/rate limiter
• Support for multiple secret management service response formats through responsePath configuration

A proof-of-concept has been developed in the add-url-secret-source branch, demonstrating the feasibility of this approach.

Already existing or connected issues / PRs (optional)

• Branch: add-url-secret-source (contains POC implementation)
• Related files:
  • internal/secretsource/url/url.go - Core implementation
  • examples/secrets/url-config.json - Basic example
  • examples/secrets/url-gsm-config.json - GCP Secret Manager example