Skip to content

Comments

proposal: Support secret providers#47

Merged
ArthurSens merged 10 commits intoprometheus:mainfrom
hsmatulis:secret-providers
May 7, 2025
Merged

proposal: Support secret providers#47
ArthurSens merged 10 commits intoprometheus:mainfrom
hsmatulis:secret-providers

Conversation

@hsmatulis
Copy link
Contributor

@hsmatulis hsmatulis commented Feb 24, 2025

This PR adds a proposal to support specifying secrets through secret providers.

TL;DR from doc

TL;DR: This document proposes adding a new way for Prometheus to discover and use secrets from various secret providers, similar to how service discovery works. It introduces a new configuration section where users can specify different secret providers and their configurations. It also defines interfaces and methods for secret providers to implement, allowing for flexibility in how secrets are fetched and managed.

@hsmatulis
Initial draft of proposal
45d10a3 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
bwplotka
bwplotka reviewed Feb 24, 2025
View reviewed changes
bwplotka
bwplotka reviewed Feb 24, 2025
View reviewed changes
Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great progress thanks!

rajagopalanand
rajagopalanand reviewed Feb 26, 2025
View reviewed changes
rapphil
rapphil reviewed Feb 28, 2025
View reviewed changes
@hsmatulis
New draft
55e0f18 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
@hsmatulis
Fix spacing
d344204 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
rapphil
rapphil reviewed Mar 18, 2025
View reviewed changes
rapphil
rapphil reviewed Mar 19, 2025
View reviewed changes
@hsmatulis
Add changes from discussionn
296a135 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
rapphil
rapphil reviewed Mar 28, 2025
View reviewed changes
@hsmatulis
Reply to comments
ca962cc 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
rapphil
rapphil reviewed Mar 28, 2025
View reviewed changes
@hsmatulis
Reply to comments
a8b43ab 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
@rapphil
Copy link

rapphil commented Mar 31, 2025

LGTM. can you just update the description of the pull request for posteriority.

rajagopalanand
rajagopalanand reviewed Apr 1, 2025
View reviewed changes
Copy link

@rajagopalanand rajagopalanand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

bwplotka
bwplotka approved these changes Apr 1, 2025
View reviewed changes
Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM generally! Just last nit noted by @rajagopalanand and good to go IMO!

Approving from my side, but I will ask around for a second Prometheus maintainer to have another look

machine424
machine424 reviewed Apr 7, 2025
View reviewed changes
dgl
dgl reviewed Apr 14, 2025
View reviewed changes
ArthurSens
ArthurSens reviewed Apr 14, 2025
View reviewed changes
Copy link
Member

@ArthurSens ArthurSens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty solid :) I just had some small questions

bwplotka
bwplotka reviewed Apr 16, 2025
View reviewed changes
bwplotka
bwplotka reviewed Apr 16, 2025
View reviewed changes
Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing feedback and discussion in https://github.com/prometheus/proposals/pull/47/files#r2041335383

Should we update the proposal with the mentioned alternatives considered?

What do you think is the reasonable solution from this discussion? I see the potential for changing proposal slightly to support the following (for consistency with SD):

password: "<inlined secret>"
password:
  kubernetes:
    namespace: "<ns>"
    name: "<secret name>"
    key: "<data's key for secret name>"
password:
  file:
    path: "<path to secret file>"

@rajagopalanand
Copy link

rajagopalanand commented Apr 23, 2025
edited
Loading

I vote for changing the proposal to be consistent with SD

@hsmatulis
Add section on secret rotation
0864090 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
@hsmatulis hsmatulis force-pushed the secret-providers branch 4 times, most recently from 535a36e to 9891e9c Compare April 23, 2025 08:38
@hsmatulis hsmatulis force-pushed the secret-providers branch 2 times, most recently from d726925 to b918d59 Compare April 23, 2025 08:42
saswatamcode
saswatamcode reviewed Apr 23, 2025
View reviewed changes
@hsmatulis
Reply to comments
ec70387 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
@hsmatulis
Add Secret Refresh and Caching section
fb37c95 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
saswatamcode
saswatamcode approved these changes Apr 23, 2025
View reviewed changes
Copy link
Member

@saswatamcode saswatamcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Excited to see this in action. :)

@hsmatulis
Copy link
Contributor Author

hsmatulis commented Apr 23, 2025

I changed the config style to be more consistent with SD in the proposal. Thanks everyone for all the feedback, and feel free to reach out on the prometheus slack if you have any feedback or ideas. I am working on an implementation for the proposal:)

bwplotka
bwplotka approved these changes Apr 23, 2025
View reviewed changes
Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! @dgl @machine424 -- are you ok to merge? 🤗

dgl
dgl approved these changes Apr 23, 2025
View reviewed changes
machine424
machine424 approved these changes Apr 23, 2025
View reviewed changes
Copy link
Member

@machine424 machine424 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

ArthurSens
ArthurSens approved these changes Apr 23, 2025
View reviewed changes
Copy link
Member

@ArthurSens ArthurSens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, one last question :)

rapphil
rapphil reviewed Apr 23, 2025
View reviewed changes
rapphil
rapphil reviewed Apr 23, 2025
View reviewed changes
rapphil
rapphil reviewed Apr 23, 2025
View reviewed changes
rapphil
rapphil reviewed Apr 23, 2025
View reviewed changes
rapphil
rapphil reviewed Apr 23, 2025
View reviewed changes
@hsmatulis
Reply to comments
774c23d 
Signed-off-by: Henrique Spanoudis Matulis <hmatulis@google.com>
ArthurSens
ArthurSens approved these changes May 2, 2025
View reviewed changes
Copy link
Member

@ArthurSens ArthurSens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for workin on the proposal, I'm merging as soon as you tell me you're satisfied :)

@hsmatulis
Copy link
Contributor Author

hsmatulis commented May 2, 2025

I think I am ready to merge it, thanks everyone!

@ArthurSens ArthurSens merged commit 1592414 into prometheus:main May 7, 2025
2 checks passed
roidelapluie pushed a commit to roidelapluie/proposals that referenced this pull request Jun 10, 2025
@hsmatulis @roidelapluie
Merge pull request prometheus#47 from hsmatulis/secret-providers
b048f5b 
proposal: Support secret providers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgl dgl dgl approved these changes

@sysadmind sysadmind sysadmind approved these changes

@bwplotka bwplotka bwplotka approved these changes

@machine424 machine424 machine424 approved these changes

@ArthurSens ArthurSens ArthurSens approved these changes

@saswatamcode saswatamcode saswatamcode approved these changes

+3 more reviewers

@yeya24 yeya24 yeya24 left review comments

@rajagopalanand rajagopalanand rajagopalanand approved these changes

@rapphil rapphil rapphil approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@hsmatulis @rapphil @rajagopalanand @dgl @sysadmind @bwplotka @machine424 @ArthurSens @yeya24 @saswatamcode