Add support for Azure Key Vault and updated deps (#204)

* udpate readme with auth details
* update log message re auth
* update tpl:
* get username and password from az key vault
* update godror
* update toml
* update prometheus
* update oci sdk
* update docs to prepare for release

Signed-off-by: Mark Nelson <[email protected]>

Author: markxnelson

Makefile

@@ -3,7 +3,7 @@ OS_TYPE        ?= $(shell uname -s | tr '[:upper:]' '[:lower:]')
 ARCH_TYPE      ?= $(subst x86_64,amd64,$(patsubst i%86,386,$(ARCH)))
 GOOS           ?= $(shell go env GOOS)
 GOARCH         ?= $(shell go env GOARCH)
-VERSION        ?= 1.5.5
+VERSION        ?= 1.6.0
 LDFLAGS        := -X main.Version=$(VERSION)
 GOFLAGS        := -ldflags "$(LDFLAGS) -s -w"
 BUILD_ARGS      = --build-arg VERSION=$(VERSION)

README.md

@@ -19,6 +19,7 @@ Contributions are welcome - please see [contributing](CONTRIBUTING.md).
   - [Kubernetes](#kubernetes)
   - [Standalone binary](#standalone-binary)
   - [Using OCI Vault](#using-oci-vault)
+  - [Using Azure Vault](#using-azure-vault)
 - [Custom metrics](#custom-metrics)
 - [Controlling memory usage](#controlling-memory-usage)
 - [Grafana dashboards](#grafana-dashboards)
@@ -29,7 +30,8 @@ Contributions are welcome - please see [contributing](CONTRIBUTING.md).
 
 | Release | Date                 | Changelog                                                       |
 |---------|----------------------|-----------------------------------------------------------------|
-| 1.5.5   | March 13th, 2025     | [1.5.5 Changelog](./changelog.md#version-155-march-13-2025)      |
+| 1.6.0   | April 18, 2025       | [1.6.0 Changelog](./changelog.md#version-160-april-18-2025)     |
+| 1.5.5   | March 13th, 2025     | [1.5.5 Changelog](./changelog.md#version-155-march-13-2025)     |
 | 1.5.4   | March 3rd, 2025      | [1.5.4 Changelog](./changelog.md#version-154-march-3-2025)      |
 | 1.5.3   | January 28th, 2025   | [1.5.3 Changelog](./changelog.md#version-153-january-28-2025)   |
 | 1.5.2   | December 2nd, 2024   | [1.5.2 Changelog](./changelog.md#version-152-december-2-2024)   |
@@ -374,7 +376,7 @@ docker run -it --rm \
     -e DB_PASSWORD=Welcome12345 \
     -e DB_CONNECT_STRING=free23ai:1521/freepdb \
     -p 9161:9161 \
-    container-registry.oracle.com/database/observability-exporter:1.5.5
+    container-registry.oracle.com/database/observability-exporter:1.6.0
 ```
 
 ##### Using a wallet
@@ -420,7 +422,7 @@ docker run -it --rm \
     -e DB_CONNECT_STRING=devdb_tp \
     -v ./wallet:/wallet \
     -p 9161:9161 \
-    container-registry.oracle.com/database/observability-exporter:1.5.5
+    container-registry.oracle.com/database/observability-exporter:1.6.0
 ```
 > **Note:** If you are using `podman` you must specify the `:z` suffix on the volume mount so that the container will be able to access the files in the volume.  For example: `-v ./wallet:/wallet:z`
 
@@ -607,6 +609,27 @@ The exporter will read the password from a secret stored in OCI Vault if you set
 
 > Note that the process must be running under a user that has the OCI CLI installed and configured correctly to access the desired tenancy and region. The OCI Profile used is `DEFAULT`.
 
+### Using Azure Vault
+
+The exporter will read the database username and password from secrets stored in Azure Key Vault if you set these environment variables:
+
+- `AZ_VAULT_ID` should be set to the ID of the Azure Key Vault that you wish to use
+- `AZ_VAULT_USERNAME_SECRET` should be set to the name of the secret in the Azure Key Vault which contains the database username
+- `AZ_VAULT_PASSWORD_SECRET` should be set to the name of the secret in the Azure Key Vault which contains the database password
+
+#### Authentication
+
+If you are running the exporter outside Azure, we recommend using [application service principal](https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/authentication-on-premises-apps).  
+
+If you are running the exporter inside Azure, we recommend using a [managed identity](https://learn.microsoft.com/en-us/azure/developer/go/sdk/authentication/authentication-azure-hosted-apps).
+
+You should set the following additional environment variables to allow the exporter to authenticate to Azure:
+
+- `AZURE_TENANT_ID` should be set to your tenant ID
+- `AZURE_CLIENT_ID` should be set to the client ID to authenticate to Azure
+- `AZURE_CLIENT_SECRET` should be set to the client secret to authenticate to Azure
+
+
 ## Custom metrics
 
 The exporter allows definition of arbitrary custom metrics in one or more TOML files. To specify this file to the
@@ -715,7 +738,7 @@ An exmaple of [custom metrics for Transacational Event Queues](./custom-metrics-
 If you run the exporter as a container image and want to include your custom metrics in the image itself, you can use the following example `Dockerfile` to create a new image:
 
 ```Dockerfile
-FROM container-registry.oracle.com/database/observability-exporter:1.5.5
+FROM container-registry.oracle.com/database/observability-exporter:1.6.0
 COPY custom-metrics.toml /
 ENTRYPOINT ["/oracledb_exporter", "--custom.metrics", "/custom-metrics.toml"]
 ```

THIRD_PARTY_LICENSES.txt

@@ -12,13 +12,86 @@ Copyright (c) 2016, 2025, Oracle and/or its affiliates.
 
 ----------------------------------- Licenses -----------------------------------
 -  Apache-2.0
+-  BSD-2-Clause
 -  BSD-3-Clause
 -  BSD-3-Clause--modified-by-Google
 -  MIT
 -  UPL-1.0
 
 --------------------------------- (separator) ----------------------------------
 
+== Dependency
+github.com/Azure/azure-sdk-for-go/sdk/azcore
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) Microsoft Corporation.
+Copyright (c) Microsoft Corporation. All rights reserved.
+Copyright 2017 Microsoft Corporation. All rights reserved.
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/Azure/azure-sdk-for-go/sdk/azidentity
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) Microsoft Corporation.
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/Azure/azure-sdk-for-go/sdk/internal
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) Microsoft Corporation.
+Copyright (c) Microsoft Corporation. All rights reserved.
+Copyright 2017 Microsoft Corporation. All rights reserved.
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/AzureAD/microsoft-authentication-library-for-go
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) Microsoft Corporation.
+Copyright (c) Microsoft Corporation.  All rights reserved. Licensed under the MIT License (the "License").
+
+--------------------------------- (separator) ----------------------------------
+
 == Dependency
 github.com/BurntSushi/toml
 
@@ -505,6 +578,29 @@ Copyright 2019 Tim Heckman. All rights reserved. Use of this source code is
 
 --------------------------------- (separator) ----------------------------------
 
+== Dependency
+github.com/golang-jwt/jwt/v5
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) 2012 Dave Grijalva
+Copyright (c) 2021 golang-jwt maintainers
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/google/uuid
+
+== License Type
+SPDX:BSD-3-Clause--modified-by-Google
+
+== Copyright
+Copyright 2023 Google Inc.  All rights reserved.
+
+--------------------------------- (separator) ----------------------------------
+
 == Dependency
 github.com/jpillora/backoff
 
@@ -643,6 +739,18 @@ Copyright 2016 The filepathx Authors
 Copyright 2016-2017 The New York Times Company
 Copyright 2021 The Go Authors. All rights reserved.
 Copyright 2023 Google LLC
+Copyright 2023+ Klaus Post. All rights reserved.
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/kylelemons/godebug
+
+== License Type
+SPDX:Apache-2.0
+
+== Copyright
+Copyright 2013 Google Inc.  All rights reserved.
 
 --------------------------------- (separator) ----------------------------------
 
@@ -784,7 +892,18 @@ SPDX:Apache-2.0
 Copyright (c) 2016, 2023, Oracle and/or its affiliates.  All rights reserved.
 
 == Notices
-Copyright (c) 2016, 2020, Oracle and/or its affiliates.
+Copyright (c) 2016, 2018, 2020, Oracle and/or its affiliates.
+
+--------------------------------- (separator) ----------------------------------
+
+== Dependency
+github.com/pkg/browser
+
+== License Type
+SPDX:BSD-2-Clause
+
+== Copyright
+Copyright (c) 2014, Dave Cheney <[email protected]>
 
 --------------------------------- (separator) ----------------------------------
 
@@ -851,7 +970,7 @@ SPDX:Apache-2.0
 
 == Copyright
 Copyright 2020 The Prometheus-operator Authors
-Copyright 2024 The Prometheus Authors
+Copyright 2025 The Prometheus Authors
 
 == Notices
 Common libraries shared by Prometheus Go components.
@@ -920,6 +1039,17 @@ Copyright 2010 The Go Authors. All rights reserved.
 
 --------------------------------- (separator) ----------------------------------
 
+== Dependency
+github.com/youmark/pkcs8
+
+== License Type
+SPDX:MIT
+
+== Copyright
+Copyright (c) 2014 youmark
+
+--------------------------------- (separator) ----------------------------------
+
 == Dependency
 golang.org/x/crypto
 
@@ -1023,7 +1153,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 == Copyright
 Copyright 2009 The Go Authors.
-Copyright 2024 The Go Authors. All rights reserved.
+Copyright 2025 The Go Authors. All rights reserved.
 
 == Patents
 Additional IP Rights Grant (Patents)
@@ -1197,7 +1327,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 == Copyright
 Copyright 2009 The Go Authors.
-Copyright 2024 The Go Authors. All rights reserved.
+Copyright 2025 The Go Authors. All rights reserved.
 
 == Patents
 Additional IP Rights Grant (Patents)
@@ -1300,7 +1430,7 @@ SPDX:BSD-3-Clause--modified-by-Google
 
 == Copyright
 Copyright 2024 Google Inc.  All rights reserved.
-Copyright 2024 The Go Authors. All rights reserved.
+Copyright 2025 The Go Authors. All rights reserved.
 
 == Patents
 Additional IP Rights Grant (Patents)
@@ -1357,8 +1487,30 @@ limitations under the License.
 
 ----------------------------------- Licenses -----------------------------------
 
---------------------------------- (separator) ----------------------------------
 == SPDX:Apache-2.0
+== SPDX:BSD-2-Clause
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 
 
 --------------------------------- (separator) ----------------------------------
@@ -1414,5 +1566,5 @@ SOFTWARE.
 
 
 === ATTRIBUTION-HELPER-GENERATED:
-=== Attribution helper version: {Major:0 Minor:11 GitVersion:0.10.0-114-g3747dab9 GitCommit:3747dab92eb29c0dbe6409ffbb824b9ae3a04b87 GitTreeState:clean BuildDate:2024-05-31T13:48:06Z GoVersion:go1.21.4 Compiler:gc Platform:linux/amd64}
-=== License file based on go.mod with md5 sum:  771c94b3ddce81ff2e234b02d85209e4
+=== Attribution helper version: {Major:0 Minor:11 GitVersion:0.10.0-116-g2a434e4d GitCommit:2a434e4d7eea22d4dfd2d1cf04909239d05562b1 GitTreeState:clean BuildDate:2025-04-17T14:57:55Z GoVersion:go1.23.7 Compiler:gc Platform:linux/amd64}
+=== License file based on go.mod with md5 sum:  e3aaf1f636118d333ec243eb9788fa19

azvault/azvault.go

@@ -0,0 +1,50 @@
+// Copyright (c) 2023, 2025, Oracle and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+package azvault
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/prometheus/common/promslog"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
+)
+
+func GetVaultSecret(vaultId string, secretName string) string {
+	promLogConfig := &promslog.Config{}
+	logger := promslog.New(promLogConfig)
+
+	vaultURI := fmt.Sprintf("https://%s.vault.azure.net/", vaultId)
+
+	// create a credential
+	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	if err != nil {
+		logger.Error("Failed to obtain an Azure Credential", "err", err)
+		os.Exit(1)
+	}
+
+	// establish a connection to the key vault client
+	client, err := azsecrets.NewClient(vaultURI, cred, nil)
+	if err != nil {
+		logger.Error("Failed to create Azure Secrets Client", "err", err)
+		os.Exit(1)
+	}
+
+	// get the secret - empty string version means "latest"
+	version := ""
+	secret := ""
+	resp, err := client.GetSecret(context.TODO(), secretName, version, nil)
+	if err != nil {
+		logger.Error("Failed to get secret from vault", "err", err)
+		os.Exit(1)
+	} else {
+		secret = *resp.Value
+	}
+
+	return strings.TrimRight(secret, "\r\n") // make sure a \r and/or \n didn't make it into the secret
+}