discovery/stackit: use config.Secret for ServiceAccountKey and PrivateKey

Fixes GHSA-39j6-789q-qxvh

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>

config/config_test.go

@@ -1579,8 +1579,10 @@ var expectedConf = &Config{
 			HTTPClientConfig: config.DefaultHTTPClientConfig,
 			ServiceDiscoveryConfigs: discovery.Configs{
 				&stackit.SDConfig{
-					Project: "11111111-1111-1111-1111-111111111111",
-					Region:  "eu01",
+					Project:           "11111111-1111-1111-1111-111111111111",
+					ServiceAccountKey: "mysecret_sa_key",
+					PrivateKey:        "mysecret_private_key",
+					Region:            "eu01",
 					HTTPClientConfig: config.HTTPClientConfig{
 						Authorization: &config.Authorization{
 							Type:        "Bearer",
@@ -2157,7 +2159,7 @@ func TestElideSecrets(t *testing.T) {
 	yamlConfig := string(config)
 
 	matches := secretRe.FindAllStringIndex(yamlConfig, -1)
-	require.Len(t, matches, 26, "wrong number of secret matches found")
+	require.Len(t, matches, 28, "wrong number of secret matches found")
 	require.NotContains(t, yamlConfig, "mysecret",
 		"yaml marshal reveals authentication credentials.")
 }

config/testdata/conf.good.yml

@@ -422,6 +422,8 @@ scrape_configs:
   - job_name: stackit-servers
     stackit_sd_configs:
       - project: 11111111-1111-1111-1111-111111111111
+        service_account_key: mysecret_sa_key
+        private_key: mysecret_private_key
         authorization:
           credentials: abcdef
 

discovery/stackit/server.go

@@ -90,8 +90,8 @@ func newServerDiscovery(conf *SDConfig, logger *slog.Logger) (*iaasDiscovery, er
 		Servers:    servers,
 		NoAuth:     conf.ServiceAccountKey == "" && conf.ServiceAccountKeyPath == "",
 
-		ServiceAccountKey:     conf.ServiceAccountKey,
-		PrivateKey:            conf.PrivateKey,
+		ServiceAccountKey:     string(conf.ServiceAccountKey),
+		PrivateKey:            string(conf.PrivateKey),
 		ServiceAccountKeyPath: conf.ServiceAccountKeyPath,
 		PrivateKeyPath:        conf.PrivateKeyPath,
 		CredentialsFilePath:   conf.CredentialsFilePath,

discovery/stackit/server_test.go

@@ -21,6 +21,7 @@ import (
 	"encoding/pem"
 	"testing"
 
+	"github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
 	"github.com/prometheus/common/promslog"
 	"github.com/stretchr/testify/require"
@@ -59,12 +60,12 @@ func TestServerSDRefresh(t *testing.T) {
 				require.NoError(t, err)
 
 				cfg := DefaultSDConfig
-				cfg.PrivateKey = string(pem.EncodeToMemory(&pem.Block{
+				cfg.PrivateKey = config.Secret(pem.EncodeToMemory(&pem.Block{
 					Type:  "RSA PRIVATE KEY",
 					Bytes: x509.MarshalPKCS1PrivateKey(key),
 				}))
 
-				cfg.ServiceAccountKey = `{
+				cfg.ServiceAccountKey = config.Secret(`{
   "Active": true,
   "CreatedAt": "2025-04-05T12:34:56Z",
   "Credentials": {
@@ -79,7 +80,7 @@ func TestServerSDRefresh(t *testing.T) {
   "KeyType": "USER_MANAGED",
   "PublicKey": "...",
   "ValidUntil": "2025-04-05T13:34:56Z"
-}`
+}`)
 
 				return cfg
 			}(),

discovery/stackit/stackit.go

@@ -65,8 +65,8 @@ type SDConfig struct {
 	Port                  int            `yaml:"port,omitempty"`
 	Region                string         `yaml:"region,omitempty"`
 	Endpoint              string         `yaml:"endpoint,omitempty"`
-	ServiceAccountKey     string         `yaml:"service_account_key,omitempty"`
-	PrivateKey            string         `yaml:"private_key,omitempty"`
+	ServiceAccountKey     config.Secret  `yaml:"service_account_key,omitempty"`
+	PrivateKey            config.Secret  `yaml:"private_key,omitempty"`
 	ServiceAccountKeyPath string         `yaml:"service_account_key_path,omitempty"`
 	PrivateKeyPath        string         `yaml:"private_key_path,omitempty"`
 	CredentialsFilePath   string         `yaml:"credentials_file_path,omitempty"`