Skip to content

Secrets Source extensions #4139

New issue
New issue
Closed
Feature
#4514
Closed
Secrets Source extensions#4139
Feature
#4514
Assignees
mstoykov
@mstoykov

Description

@mstoykov
mstoykov
opened on Dec 19, 2024

What?

Implement a way to get secrets from extensible sources and hide them in logs.

This is implementation proposal for #3207

Public API

Configuration

new cli flag --secret-source to add a secret source to k6.

Which takes a secret source name, and identifier and additional configuration.
--secret-source=sourcename=identifier,option1=value1,option2=value2

JS API

(the exist import is under consideration)

import secrets from "k6/secrets";  
  
export default async () => {  
    const my_secret = await secrets.get("my_secret"); // get from 1 secret source if only 1, exception if more than 1 secret source or if no secret sources
    console.log(my_secret);  
}
import secrets from "k6/secrets";  
  
export default async () => {  
    const my_secret = await secrets.source("identifier").get("my_secret"); // get secret from a source with the provided identifier
    console.log(my_secret);
}

No other functionality is currently planned.

Go implementation details

Pluggable similar to output and js extensions. With minimal configuration.

Centralized log sanitization - k6 will see each secret passing and will start sanitizing logs for those values it has seen. This does mean that secret sources have less responsibilities and it is less likely for bugs.

Built in sources:

File based on

This is mostly for ease of use for development, but it just reads a text file with key=value pairs

REST API based on

For now very simple one with a url + headers, potentially with templating for the key of the secret requests. Potentially other options later

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions