feat: pass secret store from API (#1179)

* feat: pass secret store from API

* fix: store the token in a file

* fix: use the URLEncoding

* fix: revert accidental change

* fix: use a colon for seperation

This is what the pending upstream change uses.

* chore: Update the gsm extension usage to pass a config file

* feat: use the -gsm prefixed bianry when secrets are enabled

Author: d0ugal

cmd/synthetic-monitoring-agent/main.go

@@ -33,6 +33,7 @@ import (
 	pusherV1 "github.com/grafana/synthetic-monitoring-agent/internal/pusher/v1"
 	pusherV2 "github.com/grafana/synthetic-monitoring-agent/internal/pusher/v2"
 	"github.com/grafana/synthetic-monitoring-agent/internal/scraper"
+	"github.com/grafana/synthetic-monitoring-agent/internal/secrets"
 	"github.com/grafana/synthetic-monitoring-agent/internal/telemetry"
 	"github.com/grafana/synthetic-monitoring-agent/internal/tenants"
 	"github.com/grafana/synthetic-monitoring-agent/internal/version"
@@ -288,6 +289,7 @@ func run(args []string, stdout io.Writer) error {
 
 	publisher := publisherFactory(ctx, tm, zl.With().Str("subsystem", "publisher").Str("version", config.SelectedPublisher).Logger(), promRegisterer)
 	limits := limits.NewTenantLimits(tm)
+	secrets := secrets.NewTenantSecrets(tm, zl.With().Str("subsystem", "secretstore").Logger())
 
 	telemetry := telemetry.NewTelemeter(
 		ctx, uuid.New().String(), time.Duration(config.TelemetryTimeSpan)*time.Minute,
@@ -308,6 +310,7 @@ func run(args []string, stdout io.Writer) error {
 		K6Runner:       k6Runner,
 		ScraperFactory: scraper.New,
 		TenantLimits:   limits,
+		TenantSecrets:  secrets,
 		Telemeter:      telemetry,
 	})
 	if err != nil {
@@ -327,6 +330,7 @@ func run(args []string, stdout io.Writer) error {
 		PromRegisterer: promRegisterer,
 		Features:       features,
 		K6Runner:       k6Runner,
+		TenantSecrets:  secrets,
 	})
 	if err != nil {
 		return fmt.Errorf("Cannot create ad-hoc checks handler: %w", err)

internal/adhoc/adhoc.go

@@ -8,6 +8,8 @@ import (
 	"io"
 	"time"
 
+	"github.com/grafana/synthetic-monitoring-agent/internal/secrets"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/prometheus/prompb"
 	"github.com/rs/zerolog"
@@ -107,6 +109,7 @@ type HandlerOpts struct {
 	PromRegisterer prometheus.Registerer
 	Features       feature.Collection
 	K6Runner       k6runner.Runner
+	TenantSecrets  *secrets.TenantSecrets
 
 	// these two fields exists so that tests can pass alternate
 	// implementations, they are unexported so that clients of this
@@ -139,7 +142,7 @@ func NewHandler(opts HandlerOpts) (*Handler, error) {
 		tenantCh:                     opts.TenantCh,
 		runnerFactory:                opts.runnerFactory,
 		grpcAdhocChecksClientFactory: opts.grpcAdhocChecksClientFactory,
-		proberFactory:                prober.NewProberFactory(opts.K6Runner, 0, opts.Features),
+		proberFactory:                prober.NewProberFactory(opts.K6Runner, 0, opts.Features, opts.TenantSecrets),
 		api: apiInfo{
 			conn: opts.Conn,
 		},

internal/checks/checks.go

@@ -29,6 +29,7 @@ import (
 	"github.com/grafana/synthetic-monitoring-agent/internal/model"
 	"github.com/grafana/synthetic-monitoring-agent/internal/pusher"
 	"github.com/grafana/synthetic-monitoring-agent/internal/scraper"
+	"github.com/grafana/synthetic-monitoring-agent/internal/secrets"
 	"github.com/grafana/synthetic-monitoring-agent/internal/telemetry"
 	"github.com/grafana/synthetic-monitoring-agent/internal/version"
 	"github.com/grafana/synthetic-monitoring-agent/pkg/pb/synthetic_monitoring"
@@ -79,6 +80,7 @@ type Updater struct {
 	k6Runner       k6runner.Runner
 	scraperFactory scraper.Factory
 	tenantLimits   *limits.TenantLimits
+	tenantSecrets  *secrets.TenantSecrets
 	telemeter      *telemetry.Telemeter
 }
 
@@ -114,6 +116,7 @@ type UpdaterOptions struct {
 	ScraperFactory scraper.Factory
 	TenantLimits   *limits.TenantLimits
 	Telemeter      *telemetry.Telemeter
+	TenantSecrets  *secrets.TenantSecrets
 }
 
 func NewUpdater(opts UpdaterOptions) (*Updater, error) {
@@ -235,6 +238,7 @@ func NewUpdater(opts UpdaterOptions) (*Updater, error) {
 		k6Runner:       opts.K6Runner,
 		scraperFactory: scraperFactory,
 		tenantLimits:   opts.TenantLimits,
+		tenantSecrets:  opts.TenantSecrets,
 		telemeter:      opts.Telemeter,
 		metrics: metrics{
 			changeErrorsCounter: changeErrorsCounter,
@@ -896,7 +900,7 @@ func (c *Updater) addAndStartScraperWithLock(ctx context.Context, check model.Ch
 		c.logger,
 		metrics,
 		c.k6Runner,
-		c.tenantLimits, c.telemeter,
+		c.tenantLimits, c.telemeter, c.tenantSecrets,
 	)
 	if err != nil {
 		return fmt.Errorf("cannot create new scraper: %w", err)

internal/checks/checks_test.go

@@ -8,6 +8,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/grafana/synthetic-monitoring-agent/internal/secrets"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/rs/zerolog"
@@ -471,6 +473,7 @@ func testScraperFactory(ctx context.Context, check model.Check, publisher pusher
 	k6Runner k6runner.Runner,
 	labelsLimiter scraper.LabelsLimiter,
 	telemeter *telemetry.Telemeter,
+	secretStore *secrets.TenantSecrets,
 ) (*scraper.Scraper, error) {
 	return scraper.NewWithOpts(
 		ctx,

internal/k6runner/k6runner.go

@@ -28,9 +28,21 @@ type Script struct {
 	Settings Settings `json:"settings"`
 	// CheckInfo holds information about the SM check that triggered this script.
 	CheckInfo CheckInfo `json:"check"`
+	// SecretStore holds the location and token for accessing secrets
+	SecretStore SecretStore `json:"secretStore"`
 	// TODO: Add features.
 }
 
+type SecretStore struct {
+	Url   string `json:"url"`
+	Token string `json:"token"`
+}
+
+// IsConfigured returns true if the SecretStore has both URL and token configured.
+func (s SecretStore) IsConfigured() bool {
+	return s.Url != "" && s.Token != ""
+}
+
 // Settings is a common representation of the fields common to all implementation-specific check settings that the
 // runners are interested about.
 type Settings struct {

internal/k6runner/local.go

@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -16,6 +17,12 @@ import (
 	"github.com/spf13/afero"
 )
 
+// secretSourceConfig represents the configuration for the secrets store
+type secretSourceConfig struct {
+	URL   string `json:"url"`
+	Token string `json:"token"`
+}
+
 type Local struct {
 	k6path        string
 	logger        *zerolog.Logger
@@ -68,7 +75,18 @@ func (r Local) Run(ctx context.Context, script Script) (*RunResponse, error) {
 		return nil, fmt.Errorf("cannot write temporary script file: %w", err)
 	}
 
-	k6Path, err := exec.LookPath(r.k6path)
+	executable := r.k6path
+	// TODO(d0ugal): This is a short-term hack to use a different k6 binary when
+	// secrets are configured. This should be removed when the default binary has been updated
+	if script.SecretStore.IsConfigured() {
+		executable = r.k6path + "-gsm"
+		logger.Info().
+			Str("k6_path", r.k6path).
+			Str("k6_gsm_path", executable).
+			Msg("Using k6-gsm binary for secrets")
+	}
+
+	k6Path, err := exec.LookPath(executable)
 	if err != nil {
 		return nil, fmt.Errorf("cannot find k6 executable: %w", err)
 	}
@@ -77,37 +95,21 @@ func (r Local) Run(ctx context.Context, script Script) (*RunResponse, error) {
 	ctx, cancel = context.WithTimeout(ctx, checkTimeout)
 	defer cancel()
 
-	args := []string{
-		"run",
-		"--out", "sm=" + metricsFn,
-		"--log-format", "logfmt",
-		"--log-output", "file=" + logsFn,
-		"--max-redirects", "10",
-		"--batch", "10",
-		"--batch-per-host", "4",
-		"--no-connection-reuse",
-		"--blacklist-ip", r.blacklistedIP,
-		"--block-hostnames", "*.cluster.local", // TODO(mem): make this configurable
-		"--summary-time-unit", "s",
-		// "--discard-response-bodies",                        // TODO(mem): make this configurable
-		"--dns", "ttl=30s,select=random,policy=preferIPv4", // TODO(mem): this needs fixing, preferIPv4 is probably not what we want
-		"--address", "", // Disable REST API server
-		"--no-thresholds",
-		"--no-usage-report",
-		"--no-color",
-		"--no-summary",
-		"--verbose",
+	var configFile string
+	if script.SecretStore.IsConfigured() {
+		var cleanup func()
+		configFile, cleanup, err = createSecretConfigFile(script.SecretStore.Url, script.SecretStore.Token)
+		if err != nil {
+			return nil, fmt.Errorf("cannot create secret config file: %w", err)
+		}
+		defer cleanup()
 	}
 
-	if script.CheckInfo.Type != synthetic_monitoring.CheckTypeBrowser.String() {
-		args = append(args,
-			"--vus", "1",
-			"--iterations", "1",
-		)
+	args, err := r.buildK6Args(script, metricsFn, logsFn, scriptFn, configFile)
+	if err != nil {
+		return nil, fmt.Errorf("building k6 arguments: %w", err)
 	}
 
-	args = append(args, scriptFn)
-
 	cmd := exec.CommandContext(
 		ctx,
 		k6Path,
@@ -187,6 +189,46 @@ func (r Local) Run(ctx context.Context, script Script) (*RunResponse, error) {
 	return &RunResponse{Metrics: metrics.Bytes(), Logs: logs.Bytes()}, errors.Join(err, errorFromLogs(logs.Bytes()))
 }
 
+func (r Local) buildK6Args(script Script, metricsFn, logsFn, scriptFn, configFile string) ([]string, error) {
+	args := []string{
+		"run",
+		"--out", "sm=" + metricsFn,
+		"--log-format", "logfmt",
+		"--log-output", "file=" + logsFn,
+		"--max-redirects", "10",
+		"--batch", "10",
+		"--batch-per-host", "4",
+		"--no-connection-reuse",
+		"--blacklist-ip", r.blacklistedIP,
+		"--block-hostnames", "*.cluster.local", // TODO(mem): make this configurable
+		"--summary-time-unit", "s",
+		// "--discard-response-bodies",                        // TODO(mem): make this configurable
+		"--dns", "ttl=30s,select=random,policy=preferIPv4", // TODO(mem): this needs fixing, preferIPv4 is probably not what we want
+		"--address", "", // Disable REST API server
+		"--no-thresholds",
+		"--no-usage-report",
+		"--no-color",
+		"--no-summary",
+		"--verbose",
+	}
+
+	// Add secretStore configuration if available
+	if script.SecretStore.IsConfigured() {
+		args = append(args, "--secret-source", "grafanasecrets=config="+configFile)
+	}
+
+	if script.CheckInfo.Type != synthetic_monitoring.CheckTypeBrowser.String() {
+		args = append(args,
+			"--vus", "1",
+			"--iterations", "1",
+		)
+	}
+
+	args = append(args, scriptFn)
+
+	return args, nil
+}
+
 func mktemp(fs afero.Fs, dir, pattern string) (string, error) {
 	f, err := afero.TempFile(fs, dir, pattern)
 	if err != nil {
@@ -262,3 +304,39 @@ func readFileLimit(f afero.Fs, name string, limit int64) (*bytes.Buffer, bool, e
 
 	return buf, true, nil
 }
+
+// createSecretConfigFile creates a JSON config file with the given secret store URL and token
+func createSecretConfigFile(url, token string) (filename string, cleanup func(), err error) {
+	tmpFile, err := os.CreateTemp("", "k6-secrets-*.json")
+	if err != nil {
+		return "", nil, fmt.Errorf("creating temp file: %w", err)
+	}
+
+	if err := os.Chmod(tmpFile.Name(), 0600); err != nil {
+		os.Remove(tmpFile.Name())
+		return "", nil, fmt.Errorf("setting file permissions: %w", err)
+	}
+
+	config := secretSourceConfig{
+		URL:   url,
+		Token: token,
+	}
+
+	configData, err := json.Marshal(config)
+	if err != nil {
+		os.Remove(tmpFile.Name())
+		return "", nil, fmt.Errorf("marshaling config to JSON: %w", err)
+	}
+
+	if _, err := tmpFile.Write(configData); err != nil {
+		os.Remove(tmpFile.Name())
+		return "", nil, fmt.Errorf("writing config file: %w", err)
+	}
+
+	if err := tmpFile.Close(); err != nil {
+		os.Remove(tmpFile.Name())
+		return "", nil, fmt.Errorf("closing config file: %w", err)
+	}
+
+	return tmpFile.Name(), func() { os.Remove(tmpFile.Name()) }, nil
+}