Huh? I don't see how that could be an issue.

That we're not considering secrets is an issue.

Huh? I don't see how that could be an issue.

relabel.Regexp are always marshaled to {}.

That we're not considering secrets is an issue.

True. I've added a unit test to catch this.

relabel.Regexp are always marshaled to {}.

I don't see what that has to do with field tags.

@simonpasquier

the master branch has updated which use hash instead of index. #6043

As @johncming pointed out, I need to rebase the change but from a quick look, the issues should still exist.

As @johncming pointed out, I need to rebase the change but from a quick look, the issues should still exist.

My bad, I pointed out that the test failure messages should be updated but that PR had only been merged a few hours earlier. It had been open long enough that I just had it in my head that the index to hash change was already merged.

I've run into this bug in two ways, both with regards to write_relabel_configs:

1. When the only difference between two remote_write configs is a regex, they produce the same hash, and Prometheus refuses to start. This is new in 2.15.
2. When a remote_write is updated and the only change is in its regex, the new rules never take effect. This was an issue before 2.15.

I'd really like to see this PR merged. We can create hacky workarounds, but would prefer not to.

@simonpasquier Do you think you will have an opportunity to rebase this soon?

I've rebased my change but it only includes the test that demonstrates the issue. I don't have an immediate solution though.

I thought just changing the hashes to use YAML instead of JSON fixed it? Did those changes disappear?

It does fix the issue in a way but it breaks in another. More precisely secret fields (bearer tokens for instance) are marshaled as <secret> in YAML so this test won't pass if we switch from JSON to YAML.

Would it make sense to update the yaml marshaller to include a hash of the secret? That should fix the toHash function for regexes and secrets without exposing the secret. Not sure if it will break anything.

@roidelapluie To be clear, what would be the concern with a user-visible hash? I suppose it would allow a user to identify secret re-use. Are there any other concerns?

Hash should not be used to hide secrets. They are not meant for security.

It depends on the hash, but even with a proper cryptographic hash you could e.g. notice that two secrets were the same.

So, it seems like there are 2 requirements here:

1. Configuration marshaling exposes nothing about a secret's value
2. Configuration hashing reflects changes to any field (including regexes and secrets)

In order for these to not conflict, I think we must either 1) salt and hash the secrets when marshaling, or 2) not implement hashing using YAML marshaling.

I already implemented the second option with my original solution in #6546, which uses the JSON marshaler and provides an implementation for Regexp. However, this really feels like an abuse of the fact that there are multiple marshalers available, especially given that the JSON marshalers are never intentionally implemented in this project.

Would it be reasonable to keep the yaml marshaling for the hash, thus having redacted secrets, and specifically update a queue whenever one of the secrets changes? Or else have a way to update the http client on a remote.Client so we wouldn't even have to restart the whole queue if the auth changes?

What prevents us to use reflects.Deepequal?

Closing as I took this over in #7073