[feat] Add URL-based secret-source

[vortegatorres]

What?

Implements #5412. Adds a new url secret-source that fetches secrets from HTTP endpoints. This allows k6 to retrieve secrets from any HTTP-based secret management service using configurable URL templates.

Why?

• k6 Cloud: Enables the secrets feature for k6 Cloud without requiring custom extensions
• OSS Users: Provides native integration with HTTP-based secret management systems

Checklist

• I have performed a self-review of my code.
• I have commented on my code, particularly in hard-to-understand areas.
• I have added tests for my changes.
• I have run linter and tests locally (make check) and all pass.

Checklist: Documentation (only for k6 maintainers and if relevant)

Please do not merge this PR until the following items are filled out.

• I have added the correct milestone and labels to the PR.
• I have updated the release notes: link
• I have updated or added an issue to the k6-documentation: grafana/k6-docs#NUMBER if applicable
• I have updated or added an issue to the TypeScript definitions: grafana/k6-DefinitelyTyped#NUMBER if applicable

Related PR(s)/Issue(s)

https://github.com/grafana/k6-cloud/issues/4038

Closes #5412

[vortegatorres]

Test:

• Given this mock server:

package main

import (
	"encoding/json"
	"fmt"
	"log"
	"net/http"
	"strings"
)

// Response structure matching GSM API format
type secretResponse struct {
	Plaintext string `json:"plaintext"`
	Name      string `json:"name"`
}

// Mock secret store - in real GSM, these would be encrypted secrets
var mockSecrets = map[string]string{
	"api-key":        "super-secret-api-key-12345",
	"database-pass":  "db-password-xyz789",
	"jwt-secret":     "jwt-signing-key-abc123",
	"stripe-key":     "sk_test_mock_stripe_key",
	"github-token":   "ghp_mock_github_token_12345",
	"test-secret":    "this-is-a-test-secret",
	"my-secret":      "my-secret-value",
	"another-secret": "another-secret-value",
}

func main() {
	mux := http.NewServeMux()

	// Handle secret decryption requests
	mux.HandleFunc("/secrets/", handleSecretRequest)

	// Health check endpoint
	mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
		_, _ = w.Write([]byte(`{"status":"healthy"}`))
	})

	addr := ":8888"
	log.Printf("Starting mock GSM server on %s", addr)
	log.Printf("Available secrets: %v", getSecretKeys())
	log.Printf("Expected Authorization header: Bearer YOUR_GSM_TOKEN_HERE")
	log.Println()
	log.Println("Example curl command:")
	log.Println(`  curl -H "Authorization: Bearer YOUR_GSM_TOKEN_HERE" http://localhost:8888/secrets/api-key/decrypt`)

	if err := http.ListenAndServe(addr, mux); err != nil {
		log.Fatalf("Server failed to start: %v", err)
	}
}

func handleSecretRequest(w http.ResponseWriter, r *http.Request) {
	// Log incoming request
	log.Printf("%s %s from %s", r.Method, r.URL.Path, r.RemoteAddr)

	// Check HTTP method
	if r.Method != http.MethodGet {
		log.Printf("  ❌ Invalid method: %s", r.Method)
		http.Error(w, `{"error":"method not allowed"}`, http.StatusMethodNotAllowed)
		return
	}

	// Check Authorization header
	authHeader := r.Header.Get("Authorization")
	if authHeader == "" {
		log.Println("  ❌ Missing Authorization header")
		w.Header().Set("Content-Type", "application/json")
		w.WriteHeader(http.StatusUnauthorized)
		_, _ = w.Write([]byte(`{"error":"missing authorization header"}`))
		return
	}

	// Validate Bearer token
	expectedToken := "Bearer YOUR_GSM_TOKEN_HERE"
	if authHeader != expectedToken {
		log.Printf("  ❌ Invalid token: %s", authHeader)
		w.Header().Set("Content-Type", "application/json")
		w.WriteHeader(http.StatusUnauthorized)
		_, _ = w.Write([]byte(`{"error":"invalid authorization token"}`))
		return
	}

	// Extract secret key from URL path
	// Expected format: /secrets/{key}/decrypt
	path := strings.TrimPrefix(r.URL.Path, "/secrets/")
	path = strings.TrimSuffix(path, "/decrypt")

	if path == "" || path == r.URL.Path {
		log.Println("  ❌ Invalid path format")
		w.Header().Set("Content-Type", "application/json")
		w.WriteHeader(http.StatusBadRequest)
		_, _ = w.Write([]byte(`{"error":"invalid path format, expected /secrets/{key}/decrypt"}`))
		return
	}

	secretKey := path

	// Look up secret
	secretValue, exists := mockSecrets[secretKey]
	if !exists {
		log.Printf("  ❌ Secret not found: %s", secretKey)
		w.Header().Set("Content-Type", "application/json")
		w.WriteHeader(http.StatusNotFound)
		_, _ = w.Write([]byte(fmt.Sprintf(`{"error":"secret %q not found"}`, secretKey)))
		return
	}

	// Build response
	response := secretResponse{
		Plaintext: secretValue,
		Name:      fmt.Sprintf("projects/test-project/secrets/%s", secretKey),
	}

	w.Header().Set("Content-Type", "application/json")
	w.WriteHeader(http.StatusOK)

	if err := json.NewEncoder(w).Encode(response); err != nil {
		log.Printf("  ❌ Failed to encode response: %v", err)
		return
	}

	log.Printf("  ✅ Returned secret: %s (length: %d)", secretKey, len(secretValue))
}

func getSecretKeys() []string {
	keys := make([]string, 0, len(mockSecrets))
	for k := range mockSecrets {
		keys = append(keys, k)
	}
	return keys
}

• And this configuration:

{
  "urlTemplate": "http://localhost:8888/secrets/{key}/decrypt",
  "method": "GET",
  "headers": {
    "Authorization": "Bearer YOUR_GSM_TOKEN_HERE"
  },
  "responsePath": "plaintext",
  "requestsPerMinuteLimit": 300,
  "requestsBurst": 10,
  "timeoutSeconds": 30
}

• And this k6 script:

import secrets from 'k6/secrets';

export default async () => {
  console.log('Fetching secret from URL source...');
  const my_secret = await secrets.get('api-key');
  console.log(my_secret == "super-secret-api-key-12345");
};

• It worked 🚀

./k6 run --secret-source=url=config=examples/secrets/url-gsm-local.json examples/secrets/url-test.js

         /\      Grafana   /‾‾/  
    /\  /  \     |\  __   /  /   
   /  \/    \    | |/ /  /   ‾‾\ 
  /          \   |   (  |  (‾)  |
 / __________ \  |_|\_\  \_____/ 

     execution: local
        script: examples/secrets/url-test.js
        output: -

     scenarios: (100.00%) 1 scenario, 1 max VUs, 10m30s max duration (incl. graceful stop):
              * default: 1 iterations for each of 1 VUs (maxDuration: 10m0s, gracefulStop: 30s)

INFO[0000] Fetching secret from URL source...            source=console
INFO[0000] true                                          source=console


  █ TOTAL RESULTS 

    EXECUTION
    iteration_duration...: avg=7.22ms min=7.22ms med=7.22ms max=7.22ms p(90)=7.22ms p(95)=7.22ms
    iterations...........: 1   127.469726/s

    NETWORK
    data_received........: 0 B 0 B/s
    data_sent............: 0 B 0 B/s




running (00m00.0s), 0/1 VUs, 1 complete and 0 interrupted iterations
default ✓ [======================================] 1 VUs  00m00.0s/10m0s  1/1 iters, 1 per VU

[oleiade]

I'm reviewing this, but added you @mstoykov as a reviewer too, as I really want your eyes on this 🙇🏻

[ankur22]

LGTM 🚀 I don't have the full context of the changes, but from I can see and the issue description it makes sense with this approach.

[ankur22]

Is there a plan to retry server errors? At the moment the iteration will fail when it sees a 5xx, subsequent iterations might pass though if the error is temporary. I guess with retries, the issue is that it will affect the timings of the iteration.

[vortegatorres]

Thanks, I added retries in d625ce9

[vortegatorres]

@vortegatorres Can we maybe have the mock server as a submodule, as we do for the grpc examples. I do remember there were some lint problems, we can fix.

Also maybe you can rebase and squash the commits at this point as I see yopu had some renovate.json changes that shouldn't be here

@mstoykov I added a mock server in 38e783e

[ankur22]

LGMT 🚀