I am using OAuth2.0 in this Prometheus YAML file, and don't want to expose the client_secret directly in the file. Does anybody know how to encrypt another file with the client secret (client_secret_file) so that Prometheus can decrypt and use it?
global:
scrape_interval: 15s
evaluation_interval: 15s
alerting:
alertmanagers:
- static_configs:
- targets: []
rule_files: []
scrape_configs:
- job_name: "prometheus"
metrics_path: "/actuator/prometheus"
static_configs:
- targets: ["localhost:8080"]
oauth2:
client_id: ""
client_secret_file: ""
scopes: []
token_url: ""
IIUC, the solution is to use client_secret_file instead of client_secret.
While client_secret includes the secret directly in the Prometheus config, client_secret_file is a file reference to the secret, doesn't disclose the secret to a viewer of the file and the file should not be checked into e.g. source control.
To my knowledge, there's no way to encrypt arbitrary sections of the Prometheus config.