From aa5927029e417d1efe7f201d60a500dafa1af90e Mon Sep 17 00:00:00 2001
From: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
Date: Fri, 8 May 2026 15:16:25 +0200
Subject: [PATCH] discovery/stackit: use config.Secret for ServiceAccountKey
 and PrivateKey

Fixes GHSA-39j6-789q-qxvh

Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
---
 config/config_test.go            | 8 +++++---
 config/testdata/conf.good.yml    | 2 ++
 discovery/stackit/server.go      | 4 ++--
 discovery/stackit/server_test.go | 7 ++++---
 discovery/stackit/stackit.go     | 4 ++--
 5 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/config/config_test.go b/config/config_test.go
index e5f1b98227..b364e09769 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -1579,8 +1579,10 @@ var expectedConf = &Config{
 			HTTPClientConfig: config.DefaultHTTPClientConfig,
 			ServiceDiscoveryConfigs: discovery.Configs{
 				&stackit.SDConfig{
-					Project: "11111111-1111-1111-1111-111111111111",
-					Region:  "eu01",
+					Project:           "11111111-1111-1111-1111-111111111111",
+					ServiceAccountKey: "mysecret_sa_key",
+					PrivateKey:        "mysecret_private_key",
+					Region:            "eu01",
 					HTTPClientConfig: config.HTTPClientConfig{
 						Authorization: &config.Authorization{
 							Type:        "Bearer",
@@ -2157,7 +2159,7 @@ func TestElideSecrets(t *testing.T) {
 	yamlConfig := string(config)
 
 	matches := secretRe.FindAllStringIndex(yamlConfig, -1)
-	require.Len(t, matches, 26, "wrong number of secret matches found")
+	require.Len(t, matches, 28, "wrong number of secret matches found")
 	require.NotContains(t, yamlConfig, "mysecret",
 		"yaml marshal reveals authentication credentials.")
 }
diff --git a/config/testdata/conf.good.yml b/config/testdata/conf.good.yml
index edc17201bf..a2f8459b24 100644
--- a/config/testdata/conf.good.yml
+++ b/config/testdata/conf.good.yml
@@ -422,6 +422,8 @@ scrape_configs:
   - job_name: stackit-servers
     stackit_sd_configs:
       - project: 11111111-1111-1111-1111-111111111111
+        service_account_key: mysecret_sa_key
+        private_key: mysecret_private_key
         authorization:
           credentials: abcdef
 
diff --git a/discovery/stackit/server.go b/discovery/stackit/server.go
index 770ab761ed..c5d76393a5 100644
--- a/discovery/stackit/server.go
+++ b/discovery/stackit/server.go
@@ -90,8 +90,8 @@ func newServerDiscovery(conf *SDConfig, logger *slog.Logger) (*iaasDiscovery, er
 		Servers:    servers,
 		NoAuth:     conf.ServiceAccountKey == "" && conf.ServiceAccountKeyPath == "",
 
-		ServiceAccountKey:     conf.ServiceAccountKey,
-		PrivateKey:            conf.PrivateKey,
+		ServiceAccountKey:     string(conf.ServiceAccountKey),
+		PrivateKey:            string(conf.PrivateKey),
 		ServiceAccountKeyPath: conf.ServiceAccountKeyPath,
 		PrivateKeyPath:        conf.PrivateKeyPath,
 		CredentialsFilePath:   conf.CredentialsFilePath,
diff --git a/discovery/stackit/server_test.go b/discovery/stackit/server_test.go
index afb9460851..3859c542de 100644
--- a/discovery/stackit/server_test.go
+++ b/discovery/stackit/server_test.go
@@ -21,6 +21,7 @@ import (
 	"encoding/pem"
 	"testing"
 
+	"github.com/prometheus/common/config"
 	"github.com/prometheus/common/model"
 	"github.com/prometheus/common/promslog"
 	"github.com/stretchr/testify/require"
@@ -59,12 +60,12 @@ func TestServerSDRefresh(t *testing.T) {
 				require.NoError(t, err)
 
 				cfg := DefaultSDConfig
-				cfg.PrivateKey = string(pem.EncodeToMemory(&pem.Block{
+				cfg.PrivateKey = config.Secret(pem.EncodeToMemory(&pem.Block{
 					Type:  "RSA PRIVATE KEY",
 					Bytes: x509.MarshalPKCS1PrivateKey(key),
 				}))
 
-				cfg.ServiceAccountKey = `{
+				cfg.ServiceAccountKey = config.Secret(`{
   "Active": true,
   "CreatedAt": "2025-04-05T12:34:56Z",
   "Credentials": {
@@ -79,7 +80,7 @@ func TestServerSDRefresh(t *testing.T) {
   "KeyType": "USER_MANAGED",
   "PublicKey": "...",
   "ValidUntil": "2025-04-05T13:34:56Z"
-}`
+}`)
 
 				return cfg
 			}(),
diff --git a/discovery/stackit/stackit.go b/discovery/stackit/stackit.go
index bae76c8897..fe5139429f 100644
--- a/discovery/stackit/stackit.go
+++ b/discovery/stackit/stackit.go
@@ -65,8 +65,8 @@ type SDConfig struct {
 	Port                  int            `yaml:"port,omitempty"`
 	Region                string         `yaml:"region,omitempty"`
 	Endpoint              string         `yaml:"endpoint,omitempty"`
-	ServiceAccountKey     string         `yaml:"service_account_key,omitempty"`
-	PrivateKey            string         `yaml:"private_key,omitempty"`
+	ServiceAccountKey     config.Secret  `yaml:"service_account_key,omitempty"`
+	PrivateKey            config.Secret  `yaml:"private_key,omitempty"`
 	ServiceAccountKeyPath string         `yaml:"service_account_key_path,omitempty"`
 	PrivateKeyPath        string         `yaml:"private_key_path,omitempty"`
 	CredentialsFilePath   string         `yaml:"credentials_file_path,omitempty"`