refactor: drop gocloud-kit logic, local implementation

Author: burningalchemist

config/secret_aws.go

@@ -0,0 +1,45 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awsconfig "github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+)
+
+type awsSecretsManagerProvider struct{}
+
+// getDSN fetches the secret value from AWS Secrets Manager.
+// URL format: awssecretsmanager://secret-name?region=us-east-1
+func (p awsSecretsManagerProvider) getDSN(ctx context.Context, ref *url.URL) (string, error) {
+	opts := []func(*awsconfig.LoadOptions) error{}
+
+	if region := ref.Query().Get("region"); region != "" {
+		opts = append(opts, awsconfig.WithRegion(region))
+	}
+
+	cfg, err := awsconfig.LoadDefaultConfig(ctx, opts...)
+	if err != nil {
+		return "", fmt.Errorf("unable to load AWS config: %w", err)
+	}
+
+	svc := secretsmanager.NewFromConfig(cfg)
+
+	secretName := ref.Host
+	if ref.Path != "" {
+		secretName += ref.Path
+	}
+
+	result, err := svc.GetSecretValue(ctx, &secretsmanager.GetSecretValueInput{
+		SecretId:     aws.String(secretName),
+		VersionStage: aws.String("AWSCURRENT"),
+	})
+	if err != nil {
+		return "", fmt.Errorf("unable to get secret value: %w", err)
+	}
+
+	return *result.SecretString, nil
+}

config/secret_gcp.go

@@ -0,0 +1,34 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	secretmanager "cloud.google.com/go/secretmanager/apiv1"
+	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
+)
+
+type gcpSecretManagerProvider struct{}
+
+// getDSN fetches the secret value from GCP Secret Manager.
+// URL format: gcpsecretmanager://projects/my-project/secrets/my-secret
+func (p gcpSecretManagerProvider) getDSN(ctx context.Context, ref *url.URL) (string, error) {
+	client, err := secretmanager.NewClient(ctx)
+	if err != nil {
+		return "", fmt.Errorf("unable to create GCP Secret Manager client: %w", err)
+	}
+	defer client.Close()
+
+	// Reconstruct the full resource name from host+path and append /versions/latest.
+	secretName := ref.Host + ref.Path + "/versions/latest"
+
+	result, err := client.AccessSecretVersion(ctx, &secretmanagerpb.AccessSecretVersionRequest{
+		Name: secretName,
+	})
+	if err != nil {
+		return "", fmt.Errorf("unable to access secret version: %w", err)
+	}
+
+	return string(result.Payload.Data), nil
+}

config/secret_resolver.go

@@ -6,52 +6,54 @@ import (
 	"fmt"
 	"log/slog"
 	"net/url"
-
-	"gocloud.dev/runtimevar"
-
-	// Register awssecretsmanager and gcpsecretmanager URL openers.
-	_ "gocloud.dev/runtimevar/awssecretsmanager"
-	_ "gocloud.dev/runtimevar/gcpsecretmanager"
 )
 
-// secretPayload is the expected JSON structure of the secret value in the store.
-type secretPayload struct {
-	DSN string `json:"data_source_name"`
+// secretProvider is the interface that all secret store backends must implement.
+type secretProvider interface {
+	getDSN(ctx context.Context, ref *url.URL) (string, error)
+}
+
+// secretProviders is the registry of supported secret store URL schemes.
+var secretProviders = map[string]secretProvider{
+	"awssecretsmanager": awsSecretsManagerProvider{},
+	"gcpsecretmanager":  gcpSecretManagerProvider{},
+	"hashivault":        vaultProvider{},
 }
 
-// resolveSecretDSN checks if the given value is a secret store URL
-// (awssecretsmanager:// or gcpsecretmanager://) and if so fetches and
-// returns the DSN from the secret. Otherwise it returns the value unchanged.
+// resolveSecretDSN checks if the given value is a secret store URL and if so fetches and returns the DSN. Otherwise it
+// returns the value unchanged.
 func resolveSecretDSN(ctx context.Context, value string) (string, error) {
 	u, err := url.Parse(value)
-	if err != nil || (u.Scheme != "awssecretsmanager" && u.Scheme != "gcpsecretmanager") {
+	if err != nil {
 		return value, nil
 	}
 
-	slog.Debug("resolving DSN from secret store", "url", value)
-
-	v, err := runtimevar.OpenVariable(ctx, value)
-	if err != nil {
-		return "", fmt.Errorf("failed to open secret variable %q: %w", value, err)
+	provider, ok := secretProviders[u.Scheme]
+	if !ok {
+		return value, nil
 	}
-	defer v.Close()
 
-	snapshot, err := v.Latest(ctx)
+	slog.Debug("resolving DSN from secret store", "scheme", u.Scheme, "ref", u.Host+u.Path)
+
+	raw, err := provider.getDSN(ctx, u)
 	if err != nil {
-		return "", fmt.Errorf("failed to fetch secret %q: %w", value, err)
+		return "", fmt.Errorf("failed to resolve secret %q: %w", value, err)
 	}
 
-	// The secret value may be either a plain DSN string or a JSON object
-	// with a "data_source_name" key (backward compatible with old AWS SM format).
-	switch val := snapshot.Value.(type) {
-	case string:
-		// Try JSON first, fall back to treating it as a plain DSN string.
-		var payload secretPayload
-		if jsonErr := json.Unmarshal([]byte(val), &payload); jsonErr == nil && payload.DSN != "" {
-			return payload.DSN, nil
+	// If the raw value is a JSON object, extract the key specified by the "key" query param, falling back to
+	// "data_source_name" for backward compatibility. If it's not JSON, return the raw value as-is.
+	var payload map[string]string
+	if jsonErr := json.Unmarshal([]byte(raw), &payload); jsonErr == nil {
+		key := u.Query().Get("key")
+		if key == "" {
+			key = "data_source_name"
+		}
+		val, ok := payload[key]
+		if !ok {
+			return "", fmt.Errorf("key %q not found in secret %q", key, value)
 		}
 		return val, nil
-	default:
-		return "", fmt.Errorf("unexpected secret value type %T for %q", snapshot.Value, value)
 	}
+
+	return raw, nil
 }

config/secret_vault.go

@@ -0,0 +1,63 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	vault "github.com/hashicorp/vault/api"
+)
+
+type vaultProvider struct{}
+
+// getDSN fetches the secret value from HashiCorp Vault KV engine.
+// URL format: hashivault://mount/path?key=data_source_name&engine_version=2
+func (p vaultProvider) getDSN(ctx context.Context, ref *url.URL) (string, error) {
+	cfg := vault.DefaultConfig()
+	if err := cfg.ReadEnvironment(); err != nil {
+		return "", fmt.Errorf("unable to read Vault environment: %w", err)
+	}
+
+	client, err := vault.NewClient(cfg)
+	if err != nil {
+		return "", fmt.Errorf("unable to create Vault client: %w", err)
+	}
+
+	q := ref.Query()
+
+	engineVersion := "2"
+	if v := q.Get("engine_version"); v != "" {
+		engineVersion = v
+	}
+
+	secretPath := ref.Host + ref.Path
+
+	var secret *vault.KVSecret
+	switch engineVersion {
+	case "1":
+		secret, err = client.KVv1(ref.Host).Get(ctx, ref.Path)
+	default:
+		secret, err = client.KVv2(ref.Host).Get(ctx, ref.Path)
+	}
+	if err != nil {
+		return "", fmt.Errorf("unable to read Vault secret at %q: %w", secretPath, err)
+	}
+
+	// key query param specifies which field to extract, defaults to "data_source_name".
+	key := q.Get("key")
+	if key == "" {
+		key = "data_source_name"
+	}
+
+	val, ok := secret.Data[key]
+	if !ok {
+		return "", fmt.Errorf("key %q not found in Vault secret at %q", key, secretPath)
+	}
+
+	str, ok := val.(string)
+	if !ok {
+		return "", fmt.Errorf("key %q in Vault secret at %q is not a string", key, secretPath)
+	}
+
+	return str, nil
+}

go.mod

@@ -3,11 +3,13 @@ module github.com/burningalchemist/sql_exporter
 go 1.24.0
 
 require (
+	cloud.google.com/go/secretmanager v1.16.0
 	github.com/ClickHouse/clickhouse-go/v2 v2.43.0
 	github.com/aws/aws-sdk-go-v2 v1.41.2
 	github.com/aws/aws-sdk-go-v2/config v1.32.10
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.2
 	github.com/go-sql-driver/mysql v1.9.3
+	github.com/hashicorp/vault/api v1.22.0
 	github.com/jackc/pgx/v5 v5.8.0
 	github.com/kardianos/minwinsvc v1.0.2
 	github.com/lib/pq v1.11.2
@@ -26,11 +28,11 @@ require (
 )
 
 require (
+	cloud.google.com/go v0.123.0 // indirect
 	cloud.google.com/go/auth v0.17.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.5.3 // indirect
-	cloud.google.com/go/secretmanager v1.16.0 // indirect
 	filippo.io/edwards25519 v1.1.1 // indirect
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/99designs/keyring v1.2.2 // indirect
@@ -63,16 +65,20 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 // indirect
 	github.com/aws/smithy-go v1.24.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e // indirect
 	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
 	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/dvsekhvalnov/jose2go v1.7.0 // indirect
 	github.com/elastic/go-sysinfo v1.8.1 // indirect
 	github.com/elastic/go-windows v1.0.0 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.7 // indirect
 	github.com/go-faster/city v1.0.1 // indirect
 	github.com/go-faster/errors v0.7.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
@@ -84,10 +90,18 @@ require (
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/google/wire v0.7.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
@@ -101,6 +115,8 @@ require (
 	github.com/mdlayher/vsock v1.2.1 // indirect
 	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
 	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
@@ -109,6 +125,7 @@ require (
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
@@ -123,7 +140,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	gocloud.dev v0.45.0 // indirect
 	golang.org/x/crypto v0.46.0 // indirect
 	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
 	golang.org/x/mod v0.30.0 // indirect