Secrets Source extensions

[mstoykov]

What?

Implement a way to get secrets from extensible sources and hide them in logs.

This is implementation proposal for #3207

Public API

Configuration

new cli flag --secret-source to add a secret source to k6.

Which takes a secret source name, and identifier and additional configuration.
--secret-source=sourcename=identifier,option1=value1,option2=value2

JS API

(the exist import is under consideration)

import { secrets } from k6;  
  
export default () => {  
    const my_secret = secrets.get("my_secret"); // get from 1 secret source if only 1, exception if more than 1 secret source or if no secret sources
    console.log(my_secret);  
}

import { secrets } from k6;  
  
export default () => {  
    const my_secret = secrets.source("identifier").get("my_secret"); // get secret from a source with the provided identifier
    console.log(my_secret);
}

No other functionality is currently planned.

Go implementation details

Pluggable similar to output and js extensions. With minimal configuration.

Centralized log sanitization - k6 will see each secret passing and will start sanitizing logs for those values it has seen. This does mean that secret sources have less responsibilities and it is less likely for bugs.

Built in sources:

File based on

This is mostly for ease of use for development, but it just reads a text file with key=value pairs

REST API based on

For now very simple one with a url + headers, potentially with templating for the key of the secret requests. Potentially other options later