feat(secrets): Add new secrets management package #797
Conversation
hsmatulis
force-pushed
the
main
branch
3 times, most recently
from
cf118e6 to
24ec0f7
Compare
hsmatulis
force-pushed
the
main
branch
19 times, most recently
from
694bf26 to
ef24c3d
Compare
hsmatulis
changed the title
|
@pintohutch @bernot-dev @bwplotka PTAL, should be ready! |
bwplotka
left a comment
bwplotka
left a comment
There was a problem hiding this comment.
Thanks, amazing work!
Generally, it's great - maybe first big question is if we want SecretField to store so much state or do we want to move some of this state to manager (or and providers). This might be more composable and easier to reason about. Prometheus discovery is doing some of this. I mentioned one idea (A) 1 and 2 in comments.
However, it's not a blocker, even in the current state, I would say we could try this out on Prometheus (and someone might try on AM side!). What matters is that I see a clean YAML surface format, clean code, idiomatic struct reflection to find fields and healthy amount of test, so amazing! With this we can iterate.
No matter if you want to try (A) or skip it for now, I think I would try to check before merging:
- Limit the global variable spread (https://github.com/prometheus/common/pull/797/files#r2414525826)
- If we can skip validator and timeout based validator state per field, if it's YAGNI (see https://github.com/prometheus/common/pull/797/files#r2414536374)
- Use testable examples: https://github.com/prometheus/common/pull/797/files#r2414499436
Then I would like to review in more depth the manager code, but generally... we could start with this! 🎉 Thanks!
bwplotka
left a comment
bwplotka
left a comment
There was a problem hiding this comment.
Looks solid, thanks!
Still some few comments to address, but overall looks close to be merged!
hsmatulis
force-pushed
the
main
branch
2 times, most recently
from
37e45e0 to
3abfb21
Compare
hsmatulis
force-pushed
the
main
branch
11 times, most recently
from
fedc743 to
b3dc749
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 21 changed files in this pull request and generated 10 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| func (fp *fileProvider) FetchSecret(_ context.Context) (string, error) { | ||
| content, err := os.ReadFile(fp.path) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| return string(content), nil |
There was a problem hiding this comment.
The file content is read into memory as a string without any size limits. If a user mistakenly points to a very large file, this could consume excessive memory. Consider adding a reasonable size limit (e.g., a few MB) and returning an error if the file exceeds that limit to prevent potential denial of service through memory exhaustion.
hsmatulis
force-pushed
the
main
branch
14 times, most recently
from
2e49c81 to
07e1d69
Compare
Signed-off-by: Henrique Matulis <[email protected]>
2 participants
This PR introduces a new package, secrets, to prometheus/common. This package provides a unified way to handle secrets within configuration files for Prometheus and its ecosystem components. It is designed to be extensible and observable. See the proposal here