feat: add secrets management

[hsmatulis]

secrets: Add remote secrets providers

See the proposal here. This PR is currently a work in progress, demonstrating how user's would interact with the secrets management API

Which issue(s) does the PR fix:

• Fixes Generally enable reading secrets from files #8551
• Related to Proposal: allow alert manager to read from secret resources alertmanager#3108
• Related to Add secret provider interface under feature flag #13955
• Related to Use Reader interface to read TLS keys and certs exporter-toolkit#141
• Related to Proposal: allow prometheus to read secrets from secret providers #11477
• Fixes How to encrypt basic_auth password/password_file in prometheus.yml file? #5795

Does this PR introduce a user-facing change?

[FEATURE] This introduces the "secret providers" core library for Prometheus, which will later enable fetching secrets from external systems. The config format will allow specifying a provider and its parameters to any `<secret>` fields.

[bwplotka]

This is good! Super minimal change surface.

I'd actually iterate over this PR and make this ready to be merged once common change is merged. We could double check all tests etc. 💪🏽

There are definitely some tests to fix, but it might be as trivial as adding (f *Field) Equals(other Field) bool so comparisons work correctly (they don't depend on state):

[bwplotka]

It probably needs its own context.

[bwplotka]

Suggested change

	var (
	secretsManager *secrets.Manager
	)
	// needs logger: logger.With("component", "secrets manager")
	secretsManager, err = secrets.NewManager(context.Background(), prometheus.DefaultRegisterer, secrets.Providers, cfgFile)
	// TODO: Pass logger.With("component", "secrets manager")
	secretsManager, err := secrets.NewManager(context.Background(), prometheus.DefaultRegisterer, secrets.Providers, cfgFile)

[bwplotka]

We could probably DRY this g.Add with something like

// before loop
reload = func()error { 
  return reloadConfig(cfg.configFile, cfg.tsdb.EnableExemplarStorage, logger, noStepSubqueryInterval, callback, reloaders...),
}
// ...
						if err := reload(); err != nil {

[bwplotka]

Maybe we could work on this name. Reminds me to grab a cup of water though! (:

Maybe:

Suggested change

	if err := secretsManager.HydrateConfig(nil, conf); err != nil {
	if err := secretsManager.ReloadConfig(context.TODO(), conf); err != nil {

[bwplotka]

Nice, easy use 👍🏽

Let's remove and iterate over this PR to be effectively testable and potentially mergable once common change is done, looks promising!

[bwplotka]

Although your other examples use *secrets.Field (pointer)?

[bwplotka]

For release log, keep in mind this is for user facing changes (e.g. user of Prometheus YAML). I would mention what user can expect (generic field and removal of ref).

I'd recommend:

[FEATURE] config: All secret fields e.g. `scrape[].basic_auth.password` supports now "generic" format.  This means users are able to specify in `password` either inlined secret as previously or one from certain provider. Currently only `inline` and `file` providers are supported, with more to come. Old `password_field`-like fields are still supported although discouraged. This change also removes the undocumented `password_ref`-like fields which were unused. See [documentation](TODO) and [PROM-47](https://github.com/prometheus/proposals/blob/main/proposals/0047-secret_providers.md) for details.

[bwplotka]

Exciting feature! We even plan to mention it on KubeCon EU in March if that's ok (: cc @hsmatulis

Hopefully it's done until then 💪🏽

[bwplotka]

Relates to:

• feat(secrets): Add new secrets management package common#797
• In progress proof of concept using secret library hsmatulis/prom-common#1